Total
2299 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24872 | 1 Get Custom Field Values Project | 1 Get Custom Field Values | 2024-11-21 | 6.5 Medium |
| The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata. | ||||
| CVE-2021-24851 | 1 Insert Pages Project | 1 Insert Pages | 2024-11-21 | 4.3 Medium |
| The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue. | ||||
| CVE-2021-24842 | 1 Bulk Datetime Change Project | 1 Bulk Datetime Change | 2024-11-21 | 5.4 Medium |
| The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts. | ||||
| CVE-2021-24824 | 1 Custom Content Shortcode Project | 1 Custom Content Shortcode | 2024-11-21 | 4.3 Medium |
| The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved | ||||
| CVE-2021-24819 | 1 Page\/post Content Shortcode Project | 1 Page\/post Content Shortcode | 2024-11-21 | 4.3 Medium |
| The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors. | ||||
| CVE-2021-24788 | 1 Batch Cat Project | 1 Batch Cat | 2024-11-21 | 6.5 Medium |
| The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary categories to posts. | ||||
| CVE-2021-24783 | 1 Publishpress | 1 Post Expirator | 2024-11-21 | 6.5 Medium |
| The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts. | ||||
| CVE-2021-24770 | 1 Stylishpricelist | 1 Stylish Price List | 2024-11-21 | 6.5 Medium |
| The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images. | ||||
| CVE-2021-24757 | 1 Stylishpricelist | 1 Stylish Price List | 2024-11-21 | 5.3 Medium |
| The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images. | ||||
| CVE-2021-24742 | 1 Radiustheme | 1 Logo Slider And Showcase | 2024-11-21 | 6.5 Medium |
| The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check. | ||||
| CVE-2021-24733 | 1 Wp Post Page Clone Project | 1 Wp Post Page Clone | 2024-11-21 | 4.3 Medium |
| The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally. | ||||
| CVE-2021-24717 | 1 Automatorwp | 1 Automatorwp | 2024-11-21 | 8.8 High |
| The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions. | ||||
| CVE-2021-24652 | 1 Wpxpo | 1 Postx - Gutenberg Blocks For Post Grid | 2024-11-21 | 6.5 Medium |
| The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultp_options values. | ||||
| CVE-2021-24405 | 1 Izsoft | 1 Easy Cookies Policy | 2024-11-21 | 6.5 Medium |
| The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue. | ||||
| CVE-2021-24379 | 1 Wphappycoders | 1 Comments Like Dislike | 2024-11-21 | 5.3 Medium |
| The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client side | ||||
| CVE-2021-24282 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 6.3 Medium |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s settings, wpcf7r_add_action to add actions to a form, and more. | ||||
| CVE-2021-24281 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 4.3 Medium |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site. | ||||
| CVE-2021-24279 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 6.5 Medium |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository. | ||||
| CVE-2021-24278 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 7.5 High |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function. | ||||
| CVE-2021-24244 | 1 Wpbakery Page Builder Clipboard Project | 1 Wpbakery Page Builder Clipboard | 2024-11-21 | 6.5 Medium |
| An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email). | ||||