CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
751 CVE-2021-24661 200 +Info 2021-09-27 2021-10-01
3.5
None Remote Medium ??? Partial None None
The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID.
752 CVE-2021-24660 79 XSS 2021-09-27 2021-10-01
3.5
None Remote Medium ??? None Partial None
The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's shortcode.
753 CVE-2021-24659 79 XSS 2021-09-27 2021-10-01
3.5
None Remote Medium ??? None Partial None
The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's block.
754 CVE-2021-24658 79 XSS 2021-08-23 2021-08-27
3.5
None Remote Medium ??? None Partial None
The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled)
755 CVE-2021-24656 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
756 CVE-2021-24654 79 XSS 2021-10-04 2021-10-08
3.5
None Remote Medium ??? None Partial None
The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed
757 CVE-2021-24653 79 XSS 2021-10-25 2021-10-27
3.5
None Remote Medium ??? None Partial None
The Cookie Bar WordPress plugin through 1.8.8 doesn't properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
758 CVE-2021-24646 79 XSS 2021-11-08 2021-11-10
3.5
None Remote Medium ??? None Partial None
The Booking.com Banner Creator WordPress plugin through 1.4.2 does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
759 CVE-2021-24645 79 XSS 2021-11-08 2021-11-10
3.5
None Remote Medium ??? None Partial None
The Booking.com Product Helper WordPress plugin through 1.0.1 does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
760 CVE-2021-24643 79 XSS 2021-09-27 2021-10-04
3.5
None Remote Medium ??? None Partial None
The WP Map Block WordPress plugin before 1.2.3 does not escape some attributes of the WP Map Block, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
761 CVE-2021-24640 79 XSS 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The WordPress Slider Block Gutenslider plugin before 5.2.0 does not escape the minWidth attribute of a Gutenburg block, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
762 CVE-2021-24637 79 XSS 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.
763 CVE-2021-24634 79 XSS 2021-09-27 2021-10-04
3.5
None Remote Medium ??? None Partial None
The Recipe Card Blocks by WPZOOM WordPress plugin before 2.8.3 does not properly sanitise or escape some of the properties of the Recipe Card Block (such as ingredientsLayout, iconSet, steps, ingredients, recipeTitle, or settings), which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.
764 CVE-2021-24624 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The MP3 Audio Player for Music, Radio & Podcast by Sonaar WordPress plugin before 2.4.2 does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to perform Cross-Site Scripting attacks
765 CVE-2021-24623 79 XSS 2021-09-13 2021-09-23
3.5
None Remote Medium ??? None Partial None
The WordPress Advanced Ticket System, Elite Support Helpdesk WordPress plugin before 1.0.64 does not sanitize or escape form values before saving to the database or when outputting, which allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
766 CVE-2021-24622 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
767 CVE-2021-24621 79 XSS 2021-09-13 2021-09-23
3.5
None Remote Medium ??? None Partial None
The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues
768 CVE-2021-24619 79 XSS 2021-09-13 2021-09-23
3.5
None Remote Medium ??? None Partial None
The Per page add to head WordPress plugin through 1.4.4 does not properly sanitise one of its setting, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues.
769 CVE-2021-24618 79 XSS CSRF 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.
770 CVE-2021-24616 79 XSS 2021-11-08 2021-11-10
3.5
None Remote Medium ??? None Partial None
The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
771 CVE-2021-24614 79 XSS 2021-09-13 2021-09-23
3.5
None Remote Medium ??? None Partial None
The Book appointment online WordPress plugin before 1.39 does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
772 CVE-2021-24613 79 XSS 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
773 CVE-2021-24612 79 +Priv XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed
774 CVE-2021-24611 352 XSS CSRF 2021-09-06 2021-09-13
3.5
None Remote Medium ??? None Partial None
The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack.
775 CVE-2021-24610 79 XSS 2021-09-27 2021-10-04
3.5
None Remote Medium ??? None Partial None
The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.
776 CVE-2021-24609 79 XSS 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
777 CVE-2021-24608 79 XSS 2021-10-25 2021-10-27
3.5
None Remote Medium ??? None Partial None
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
778 CVE-2021-24607 79 XSS 2021-11-08 2021-11-10
3.5
None Remote Medium ??? None Partial None
The Storefront Footer Text WordPress plugin through 1.0.1 does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed.
779 CVE-2021-24605 79 XSS 2021-09-13 2021-09-23
3.5
None Remote Medium ??? None Partial None
The create_post_page AJAX action of the Custom Post View Generator WordPress plugin through 0.4.6 (available to authenticated user) does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue
780 CVE-2021-24604 79 XSS 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The Availability Calendar WordPress plugin before 1.2.2 does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
781 CVE-2021-24603 79 XSS 2021-09-06 2021-09-09
3.5
None Remote Medium ??? None Partial None
The Site Reviews WordPress plugin before 5.13.1 does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed
782 CVE-2021-24601 79 XSS 2021-09-06 2021-09-09
3.5
None Remote Medium ??? None Partial None
The WPFront Notification Bar WordPress plugin before 2.1.0.08087 does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
783 CVE-2021-24600 79 XSS 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The WP Dialog WordPress plugin through 1.2.5.5 does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
784 CVE-2021-24598 79 XSS 2021-11-17 2021-11-19
3.5
None Remote Medium ??? None Partial None
The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capability is disallowed
785 CVE-2021-24597 79 XSS 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used
786 CVE-2021-24596 79 XSS 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The youForms for WordPress plugin through 1.0.5 does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
787 CVE-2021-24594 79 XSS 2021-11-08 2021-11-10
3.5
None Remote Medium ??? None Partial None
The Translate WordPress – Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
788 CVE-2021-24593 79 XSS 2021-08-30 2021-09-02
3.5
None Remote Medium ??? None Partial None
The Business Hours Indicator WordPress plugin before 2.3.5 does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue
789 CVE-2021-24592 79 XSS 2021-08-30 2021-09-02
3.5
None Remote Medium ??? None Partial None
The Sitewide Notice WP WordPress plugin before 2.3 does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
790 CVE-2021-24591 79 XSS 2021-09-06 2021-09-09
3.5
None Remote Medium ??? None Partial None
The Highlight WordPress plugin before 0.9.3 does not sanitise its CustomCSS setting, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
791 CVE-2021-24590 79 XSS 2021-09-06 2021-09-10
3.5
None Remote Medium ??? None Partial None
The Cookie Notice & Consent Banner for GDPR & CCPA Compliance WordPress plugin before 1.7.2 does not properly sanitize inputs to prevent injection of arbitrary HTML within the plugin's design customization options.
792 CVE-2021-24587 79 XSS 2021-09-20 2021-09-29
3.5
None Remote Medium ??? None Partial None
The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue.
793 CVE-2021-24584 284 XSS CSRF 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues
794 CVE-2021-24582 79 XSS 2021-09-20 2021-09-29
3.5
None Remote Medium ??? None Partial None
The ThinkTwit WordPress plugin before 1.7.1 did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue.
795 CVE-2021-24577 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.
796 CVE-2021-24576 79 XSS 2021-10-11 2021-10-18
3.5
None Remote Medium ??? None Partial None
The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion.
797 CVE-2021-24574 79 XSS 2021-08-23 2021-08-27
3.5
None Remote Medium ??? None Partial None
The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed.
798 CVE-2021-24571 79 XSS 2021-08-23 2021-08-26
3.5
None Remote Medium ??? None Partial None
The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues
799 CVE-2021-24569 79 XSS 2021-09-27 2021-10-04
3.5
None Remote Medium ??? None Partial None
The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed.
800 CVE-2021-24568 79 XSS 2021-09-06 2021-09-09
3.5
None Remote Medium ??? None Partial None
The AddToAny Share Buttons WordPress plugin before 1.7.46 does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.