Total
2322 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25356 | 1 Google | 1 Android | 2024-11-21 | 7.1 High |
| An improper caller check vulnerability in Managed Provisioning prior to SMR APR-2021 Release 1 allows unprivileged application to install arbitrary application, grant device admin permission and then delete several installed application. | ||||
| CVE-2021-25097 | 1 Creativityjuice | 1 Labtools | 2024-11-21 | 6.5 Medium |
| The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication | ||||
| CVE-2021-24947 | 1 Thinkupthemes | 1 Responsive Vector Maps | 2024-11-21 | 6.5 Medium |
| The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server | ||||
| CVE-2021-24917 | 1 Wpserveur | 1 Wps Hide Login | 2024-11-21 | 7.5 High |
| The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user. | ||||
| CVE-2021-24905 | 1 Vsourz | 1 Advanced Cf7 Db | 2024-11-21 | 8.0 High |
| The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users. | ||||
| CVE-2021-24872 | 1 Get Custom Field Values Project | 1 Get Custom Field Values | 2024-11-21 | 6.5 Medium |
| The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata. | ||||
| CVE-2021-24851 | 1 Insert Pages Project | 1 Insert Pages | 2024-11-21 | 4.3 Medium |
| The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue. | ||||
| CVE-2021-24842 | 1 Bulk Datetime Change Project | 1 Bulk Datetime Change | 2024-11-21 | 5.4 Medium |
| The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts. | ||||
| CVE-2021-24824 | 1 Custom Content Shortcode Project | 1 Custom Content Shortcode | 2024-11-21 | 4.3 Medium |
| The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved | ||||
| CVE-2021-24819 | 1 Page\/post Content Shortcode Project | 1 Page\/post Content Shortcode | 2024-11-21 | 4.3 Medium |
| The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors. | ||||
| CVE-2021-24788 | 1 Batch Cat Project | 1 Batch Cat | 2024-11-21 | 6.5 Medium |
| The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary categories to posts. | ||||
| CVE-2021-24783 | 1 Publishpress | 1 Post Expirator | 2024-11-21 | 6.5 Medium |
| The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts. | ||||
| CVE-2021-24770 | 1 Stylishpricelist | 1 Stylish Price List | 2024-11-21 | 6.5 Medium |
| The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images. | ||||
| CVE-2021-24757 | 1 Stylishpricelist | 1 Stylish Price List | 2024-11-21 | 5.3 Medium |
| The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images. | ||||
| CVE-2021-24742 | 1 Radiustheme | 1 Logo Slider And Showcase | 2024-11-21 | 6.5 Medium |
| The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check. | ||||
| CVE-2021-24733 | 1 Wp Post Page Clone Project | 1 Wp Post Page Clone | 2024-11-21 | 4.3 Medium |
| The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally. | ||||
| CVE-2021-24717 | 1 Automatorwp | 1 Automatorwp | 2024-11-21 | 8.8 High |
| The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions. | ||||
| CVE-2021-24652 | 1 Wpxpo | 1 Postx - Gutenberg Blocks For Post Grid | 2024-11-21 | 6.5 Medium |
| The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultp_options values. | ||||
| CVE-2021-24405 | 1 Izsoft | 1 Easy Cookies Policy | 2024-11-21 | 6.5 Medium |
| The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue. | ||||
| CVE-2021-24379 | 1 Wphappycoders | 1 Comments Like Dislike | 2024-11-21 | 5.3 Medium |
| The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client side | ||||