Total
16413 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24442 | 1 Wpdevart | 1 Poll\, Survey\, Questionnaire And Voting System | 2024-11-21 | 9.8 Critical |
| The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks | ||||
| CVE-2021-24404 | 1 Wp-board Project | 1 Wp-board | 2024-11-21 | 8.8 High |
| The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice. | ||||
| CVE-2021-24403 | 1 Wpagecontact Project | 1 Wpagecontact | 2024-11-21 | 7.2 High |
| The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | ||||
| CVE-2021-24402 | 1 Solvercircle | 1 Wp Icommerce | 2024-11-21 | 7.2 High |
| The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | ||||
| CVE-2021-24401 | 1 Wp-domain-redirect Project | 1 Wp-domain-redirect | 2024-11-21 | 7.2 High |
| The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24400 | 1 Wp-display-users Project | 1 Wp-display-users | 2024-11-21 | 7.2 High |
| The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24399 | 1 Ombu | 1 The Sorter | 2024-11-21 | 7.2 High |
| The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24398 | 1 Webpsilon | 1 Responsive 3d Slider | 2024-11-21 | 7.2 High |
| The Add new scene functionality in the Responsive 3D Slider WordPress plugin through 1.2 uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query is ran twice. | ||||
| CVE-2021-24397 | 1 Activemedia | 1 Microcopy | 2024-11-21 | 7.2 High |
| The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24396 | 1 Bestiaweb | 1 Gseor | 2024-11-21 | 7.2 High |
| A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24395 | 1 Geekwebsolution | 1 Embed Youtube Video | 2024-11-21 | 7.2 High |
| The editid GET parameter of the Embed Youtube Video WordPress plugin through 1.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24394 | 1 Easy Testimonial Manager Project | 1 Easy Testimonial Manager | 2024-11-21 | 7.2 High |
| An id GET parameter of the Easy Testimonial Manager WordPress plugin through 1.2.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection | ||||
| CVE-2021-24393 | 1 Comment Highlighter Project | 1 Comment Highlighter | 2024-11-21 | 7.2 High |
| A c GET parameter of the Comment Highlighter WordPress plugin through 0.13 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24392 | 1 Swiftcrm | 1 Club-management-software | 2024-11-21 | 7.2 High |
| An id GET parameter of the WordPress Membership SwiftCloud.io WordPress plugin through 1.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24391 | 1 Cashtomer Project | 1 Cashtomer | 2024-11-21 | 8.8 High |
| An editid GET parameter of the Cashtomer WordPress plugin through 1.0.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24390 | 1 Alipay Project | 1 Alipay | 2024-11-21 | 7.2 High |
| A proid GET parameter of the WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件 WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection. | ||||
| CVE-2021-24385 | 1 Ninjateam | 1 Filebird | 2024-11-21 | 9.8 Critical |
| The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user. | ||||
| CVE-2021-24361 | 1 Ayecode | 1 Location Manager | 2024-11-21 | 9.8 Critical |
| In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues. | ||||
| CVE-2021-24360 | 1 Kohsei-works | 1 Yes\/no Chart | 2024-11-21 | 6.5 Medium |
| The Yes/No Chart WordPress plugin before 1.0.12 did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users (contributor+) to perform Blind SQL Injection attacks | ||||
| CVE-2021-24348 | 1 Wow-estore | 1 Side Menu | 2024-11-21 | 7.2 High |
| The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue | ||||