CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
801 CVE-2021-24587 79 XSS 2021-09-20 2021-09-29
3.5
None Remote Medium ??? None Partial None
The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue.
802 CVE-2021-24584 284 XSS CSRF 2021-09-20 2021-10-01
3.5
None Remote Medium ??? None Partial None
The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues
803 CVE-2021-24582 79 XSS 2021-09-20 2021-09-29
3.5
None Remote Medium ??? None Partial None
The ThinkTwit WordPress plugin before 1.7.1 did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue.
804 CVE-2021-24577 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.
805 CVE-2021-24576 79 XSS 2021-10-11 2021-10-18
3.5
None Remote Medium ??? None Partial None
The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion.
806 CVE-2021-24574 79 XSS 2021-08-23 2021-08-27
3.5
None Remote Medium ??? None Partial None
The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed.
807 CVE-2021-24571 79 XSS 2021-08-23 2021-08-26
3.5
None Remote Medium ??? None Partial None
The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues
808 CVE-2021-24569 79 XSS 2021-09-27 2021-10-04
3.5
None Remote Medium ??? None Partial None
The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed.
809 CVE-2021-24568 79 XSS 2021-09-06 2021-09-09
3.5
None Remote Medium ??? None Partial None
The AddToAny Share Buttons WordPress plugin before 1.7.46 does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
810 CVE-2021-24564 79 XSS 2021-08-23 2021-08-27
3.5
None Remote Medium ??? None Partial None
The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.
811 CVE-2021-24561 79 XSS 2021-08-23 2021-08-30
3.5
None Remote Medium ??? None Partial None
The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue
812 CVE-2021-24558 79 XSS 2021-08-23 2021-08-27
3.5
None Remote Medium ??? None Partial None
The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue
813 CVE-2021-24548 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page.
814 CVE-2021-24547 79 XSS 2021-08-23 2021-08-26
3.5
None Remote Medium ??? None Partial None
The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field.
815 CVE-2021-24545 79 Exec Code +Priv XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.
816 CVE-2021-24544 79 +Priv XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example.
817 CVE-2021-24541 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
818 CVE-2021-24540 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
819 CVE-2021-24538 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.
820 CVE-2021-24534 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue.
821 CVE-2021-24533 79 XSS 2021-08-23 2021-08-26
3.5
None Remote Medium ??? None Partial None
The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend
822 CVE-2021-24531 79 XSS 2021-08-23 2021-08-26
3.5
None Remote Medium ??? None Partial None
The Charitable – Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature.
823 CVE-2021-24530 79 XSS 2021-09-20 2021-09-29
3.5
None Remote Medium ??? None Partial None
The Alojapro Widget WordPress plugin through 1.1.15 doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
824 CVE-2021-24529 79 XSS 2021-08-23 2021-08-26
3.5
None Remote Medium ??? None Partial None
The Grid Gallery – Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability.
825 CVE-2021-24528 79 XSS 2021-08-30 2021-09-02
3.5
None Remote Medium ??? None Partial None
The FluentSMTP WordPress plugin before 2.0.1 does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting (XSS) vulnerability. Only users with roles capable of managing plugins can modify the plugin's settings.
826 CVE-2021-24526 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
827 CVE-2021-24525 79 XSS 2021-09-20 2021-09-28
3.5
None Remote Medium ??? None Partial None
The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
828 CVE-2021-24524 79 XSS 2021-08-23 2021-08-26
3.5
None Remote Medium ??? None Partial None
The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.
829 CVE-2021-24523 79 XSS 2021-09-13 2021-09-23
3.5
None Remote Medium ??? None Partial None
The Daily Prayer Time WordPress plugin before 2021.08.10 does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues.
830 CVE-2021-24519 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue
831 CVE-2021-24518 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
832 CVE-2021-24517 79 XSS 2021-09-06 2021-09-09
3.5
None Remote Medium ??? None Partial None
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2021.18 does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html capability is disallowed
833 CVE-2021-24516 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.
834 CVE-2021-24515 79 XSS 2021-10-25 2021-11-17
3.5
None Remote Medium ??? None Partial None
The Video Gallery WordPress plugin before 1.1.5 does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues
835 CVE-2021-24514 79 XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
836 CVE-2021-24513 79 XSS 2021-09-06 2021-09-09
3.5
None Remote Medium ??? None Partial None
The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
837 CVE-2021-24512 79 XSS 2021-08-16 2021-08-23
3.5
None Remote Medium ??? None Partial None
The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos.
838 CVE-2021-24509 79 XSS 2021-08-09 2021-08-17
3.5
None Remote Medium ??? None Partial None
The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.
839 CVE-2021-24505 79 XSS 2021-08-09 2021-08-17
3.5
None Remote Medium ??? None Partial None
The Forms WordPress plugin before 1.12.3 did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the Forms "Add new" field.
840 CVE-2021-24503 79 XSS 2021-08-02 2021-08-10
3.5
None Remote Medium ??? None Partial None
The Popular Brand Icons – Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.
841 CVE-2021-24502 79 XSS 2021-08-09 2021-08-17
3.5
None Remote Medium ??? None Partial None
The WP Google Map WordPress plugin before 1.7.7 did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed
842 CVE-2021-24494 79 XSS 2021-07-06 2021-07-09
3.5
None Remote Medium ??? None Partial None
The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin.
843 CVE-2021-24489 79 XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Request a Quote WordPress plugin before 2.3.5 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.
844 CVE-2021-24486 79 XSS 2021-08-23 2021-08-26
3.5
None Remote Medium ??? None Partial None
The Simple Social Media Share Buttons – Social Sharing for Everyone WordPress plugin before 3.2.3 did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
845 CVE-2021-24485 79 XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Special Text Boxes WordPress plugin through 5.9.109 does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
846 CVE-2021-24482 79 XSS 2021-07-19 2021-07-28
3.5
None Remote Medium ??? None Partial None
The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues.
847 CVE-2021-24481 79 XSS 2021-08-02 2021-08-10
3.5
None Remote Medium ??? None Partial None
The Any Hostname WordPress plugin through 1.0.6 does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it
848 CVE-2021-24480 79 XSS 2021-08-02 2021-08-10
3.5
None Remote Medium ??? None Partial None
The Event Geek WordPress plugin through 2.5.2 does not sanitise or escape its "Use your own " setting before outputting it in the page, leading to an authenticated (admin+) stored Cross-Site Scripting issue
849 CVE-2021-24479 79 XSS 2021-08-02 2021-08-10
3.5
None Remote Medium ??? None Partial None
The DrawBlog WordPress plugin through 0.90 does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue
850 CVE-2021-24478 79 XSS 2021-08-02 2021-08-10
3.5
None Remote Medium ??? None Partial None
The Bookshelf WordPress plugin through 2.0.4 does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.