CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2021

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1201 CVE-2021-24719 79 XSS 2021-10-11 2021-11-30
4.3
None Remote Medium Not required None Partial None
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
1202 CVE-2021-24712 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.
1203 CVE-2021-24711 352 CSRF 2021-10-11 2021-10-15
6.8
None Remote Medium Not required Partial Partial Partial
The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack
1204 CVE-2021-24709 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues
1205 CVE-2021-24702 79 XSS 2021-10-18 2021-10-21
2.1
None Remote High ??? None Partial None
The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed
1206 CVE-2021-24699 79 XSS 2021-10-25 2021-10-27
3.5
None Remote Medium ??? None Partial None
The Easy Media Download WordPress plugin before 1.1.7 does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
1207 CVE-2021-24691 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
1208 CVE-2021-24690 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings.
1209 CVE-2021-24687 79 XSS 2021-10-04 2021-10-08
3.5
None Remote Medium ??? None Partial None
The Modern Events Calendar Lite WordPress plugin before 5.22.2 does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1210 CVE-2021-24684 78 Exec Code 2021-10-18 2021-11-04
9.0
None Remote Low ??? Complete Complete Complete
The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript.
1211 CVE-2021-24683 352 XSS CSRF 2021-10-11 2021-10-19
4.3
None Remote Medium Not required None Partial None
The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue.
1212 CVE-2021-24681 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1213 CVE-2021-24679 79 XSS 2021-10-04 2021-10-26
4.3
None Remote Medium Not required None Partial None
The Bitcoin / AltCoin Payment Gateway for WooCommerce WordPress plugin before 1.6.1 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue
1214 CVE-2021-24678 79 XSS 2021-10-04 2021-10-18
3.5
None Remote Medium ??? None Partial None
The CM Tooltip Glossary WordPress plugin before 3.9.21 does not escape some glossary_tooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacks
1215 CVE-2021-24677 862 2021-10-18 2021-11-04
5.0
None Remote Low Not required Partial None None
The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles.
1216 CVE-2021-24676 79 XSS 2021-10-04 2021-10-08
4.3
None Remote Medium Not required None Partial None
The Better Find and Replace WordPress plugin before 1.2.9 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue
1217 CVE-2021-24675 352 CSRF 2021-10-18 2021-10-20
4.3
None Remote Medium Not required None Partial None
The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack
1218 CVE-2021-24673 79 XSS 2021-10-04 2021-10-08
3.5
None Remote Medium ??? None Partial None
The Appointment Hour Booking WordPress plugin before 1.3.16 does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1219 CVE-2021-24672 79 XSS 2021-10-18 2021-10-20
3.5
None Remote Medium ??? None Partial None
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
1220 CVE-2021-24662 89 Sql 2021-10-25 2021-10-27
6.5
None Remote Low ??? Partial Partial Partial
The Game Server Status WordPress plugin through 1.0 does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page
1221 CVE-2021-24656 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1222 CVE-2021-24654 79 XSS 2021-10-04 2021-10-08
3.5
None Remote Medium ??? None Partial None
The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed
1223 CVE-2021-24653 79 XSS 2021-10-25 2021-10-27
3.5
None Remote Medium ??? None Partial None
The Cookie Bar WordPress plugin through 1.8.8 doesn't properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
1224 CVE-2021-24651 89 Sql 2021-10-11 2021-10-19
5.0
None Remote Low Not required Partial None None
The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.
1225 CVE-2021-24642 352 XSS CSRF 2021-10-18 2021-10-21
4.3
None Remote Medium Not required None Partial None
The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE (via a file upload) as well as XSS
1226 CVE-2021-24622 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1227 CVE-2021-24617 79 XSS 2021-10-18 2021-10-21
4.3
None Remote Medium Not required None Partial None
The GamePress WordPress plugin through 1.1.0 does not escape the op_edit POST parameter before outputting it back in multiple Game Option pages, leading to Reflected Cross-Site Scripting issues
1228 CVE-2021-24615 352 XSS CSRF 2021-10-18 2021-10-21
4.3
None Remote Medium Not required None Partial None
The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks.
1229 CVE-2021-24612 79 +Priv XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed
1230 CVE-2021-24608 79 XSS 2021-10-25 2021-10-27
3.5
None Remote Medium ??? None Partial None
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
1231 CVE-2021-24595 352 XSS CSRF 2021-10-18 2021-10-21
4.3
None Remote Medium Not required None Partial None
The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack.
1232 CVE-2021-24577 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.
1233 CVE-2021-24576 79 XSS 2021-10-11 2021-10-18
3.5
None Remote Medium ??? None Partial None
The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion.
1234 CVE-2021-24563 79 XSS 2021-10-11 2022-01-12
4.3
None Remote Medium Not required None Partial None
The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
1235 CVE-2021-24546 94 Exec Code 2021-10-11 2021-10-15
6.5
None Remote Low ??? Partial Partial Partial
The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code
1236 CVE-2021-24545 79 Exec Code +Priv XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.
1237 CVE-2021-24544 79 +Priv XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example.
1238 CVE-2021-24543 352 XSS CSRF 2021-10-25 2021-10-28
4.3
None Remote Medium Not required None Partial None
The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue.
1239 CVE-2021-24516 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.
1240 CVE-2021-24515 79 XSS 2021-10-25 2021-11-17
3.5
None Remote Medium ??? None Partial None
The Video Gallery WordPress plugin before 1.1.5 does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues
1241 CVE-2021-24514 79 XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
1242 CVE-2021-24489 79 XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Request a Quote WordPress plugin before 2.3.5 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.
1243 CVE-2021-24487 352 XSS CSRF 2021-10-25 2021-10-28
6.8
None Remote Medium Not required Partial Partial Partial
The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue
1244 CVE-2021-24485 79 XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Special Text Boxes WordPress plugin through 5.9.109 does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
1245 CVE-2021-24465 89 Sql 2021-10-04 2021-10-08
5.5
None Remote Low ??? Partial Partial None
The Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.
1246 CVE-2021-24416 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The StreamCast – Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
1247 CVE-2021-24415 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Polo Video Gallery – Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
1248 CVE-2021-24414 79 XSS 2021-10-25 2021-10-28
3.5
None Remote Medium ??? None Partial None
The Video Player for YouTube WordPress plugin before 1.4 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
1249 CVE-2021-24413 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
1250 CVE-2021-24412 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
Total number of vulnerabilities : 1708   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 (This Page)26 27 28 29 30 31 32 33 34 35
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.