CVE-2021-24860
The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue
Source: CVE-2021-24860
[월:] 2021년 11월
CVE-2021-24915
CVE-2021-24915
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unauthenticated to perform SQL injections attacks, as well as get the list of all users registered on the blog, including their username and email address
Source: CVE-2021-24915
CVE-2021-24899
CVE-2021-24899
The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_htnl capability is disallowed.
Source: CVE-2021-24899
CVE-2021-24908
CVE-2021-24908
The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
Source: CVE-2021-24908
CVE-2021-24811
CVE-2021-24811
The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Source: CVE-2021-24811
CVE-2021-24889
CVE-2021-24889
The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks
Source: CVE-2021-24889
CVE-2021-24755
CVE-2021-24755
The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user
Source: CVE-2021-24755
CVE-2021-24876
CVE-2021-24876
The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
Source: CVE-2021-24876
CVE-2021-24842
CVE-2021-24842
The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users’ posts.
Source: CVE-2021-24842
CVE-2021-24748
CVE-2021-24748
The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues
Source: CVE-2021-24748