Total
16409 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24336 | 1 Zavedil | 1 Flightlog | 2024-11-21 | 7.2 High |
| The FlightLog WordPress plugin through 3.0.2 does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users | ||||
| CVE-2021-24321 | 1 Bold-themes | 1 Bello | 2024-11-21 | 9.8 Critical |
| The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the bt_bb_listing_field_price_range_to, bt_bb_listing_field_now_open, bt_bb_listing_field_my_lng, listing_list_view and bt_bb_listing_field_my_lat parameters before using them in a SQL statement, leading to SQL Injection issues | ||||
| CVE-2021-24314 | 1 Boostifythemes | 1 Goto | 2024-11-21 | 9.8 Critical |
| The Goto WordPress theme before 2.1 did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue | ||||
| CVE-2021-24303 | 1 Jiangqie | 1 Official Website Mini Program | 2024-11-21 | 8.8 High |
| The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues | ||||
| CVE-2021-24295 | 1 Cleantalk | 1 Spam Protection\, Antispam\, Firewall | 2024-11-21 | 7.5 High |
| It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset. | ||||
| CVE-2021-24285 | 1 Cars-seller-auto-classifieds-script Project | 1 Cars-seller-auto-classifieds-script | 2024-11-21 | 9.8 Critical |
| The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue. | ||||
| CVE-2021-24221 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 8.8 High |
| The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection. | ||||
| CVE-2021-24200 | 1 Tms-outsource | 1 Wpdatatables | 2024-11-21 | 6.5 Medium |
| The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. | ||||
| CVE-2021-24199 | 1 Tms-outsource | 1 Wpdatatables | 2024-11-21 | 6.5 Medium |
| The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. | ||||
| CVE-2021-24186 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 6.5 Medium |
| The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | ||||
| CVE-2021-24185 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 6.5 Medium |
| The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | ||||
| CVE-2021-24183 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 6.5 Medium |
| The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | ||||
| CVE-2021-24182 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 6.5 Medium |
| The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | ||||
| CVE-2021-24181 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 6.5 Medium |
| The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | ||||
| CVE-2021-24149 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 8.8 High |
| Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. | ||||
| CVE-2021-24143 | 1 Accesspressthemes | 1 Accesspress Social Icons | 2024-11-21 | 8.8 High |
| Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. | ||||
| CVE-2021-24142 | 1 Webfactoryltd | 1 301 Redirects | 2024-11-21 | 7.2 High |
| Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. | ||||
| CVE-2021-24141 | 1 Sigmaplugin | 1 Advanced Database Cleaner | 2024-11-21 | 7.2 High |
| Unvaludated input in the Advanced Database Cleaner plugin, versions before 3.0.2, lead to SQL injection allowing high privilege users (admin+) to perform SQL attacks. | ||||
| CVE-2021-24140 | 1 Connekthq | 1 Ajax Load More | 2024-11-21 | 7.2 High |
| Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test. | ||||
| CVE-2021-24139 | 1 10web | 1 Photo Gallery | 2024-11-21 | 9.8 Critical |
| Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter. | ||||