CVE-2021-27306
An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.0.0 allows unauthenticated users access to authenticated routes without a valid token JWT.
Source: CVE-2021-27306
[월:] 2021년 03월
CVE-2021-26935
CVE-2021-26935
In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter.
Source: CVE-2021-26935
CVE-2021-24144
CVE-2021-24144
Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files.
Source: CVE-2021-24144
CVE-2021-24141
CVE-2021-24141
Unvaludated input in the Advanced Database Cleaner plugin, versions before 3.0.2, lead to SQL injection allowing high privilege users (admin+) to perform SQL attacks.
Source: CVE-2021-24141
CVE-2021-24142
CVE-2021-24142
Unvaludated input in the 301 Redirects – Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.
Source: CVE-2021-24142
CVE-2021-24149
CVE-2021-24149
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue.
Source: CVE-2021-24149
CVE-2021-24148
CVE-2021-24148
A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address.
Source: CVE-2021-24148
CVE-2021-24143
CVE-2021-24143
Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections.
Source: CVE-2021-24143
CVE-2021-24147
CVE-2021-24147
Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event.
Source: CVE-2021-24147
CVE-2021-24146
CVE-2021-24146
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
Source: CVE-2021-24146