CVE-2021-25000
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue
Source: CVE-2021-25000
CVE-2021-24999
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting
Source: CVE-2021-24999
CVE-2021-24973
The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin
Source: CVE-2021-24973
CVE-2021-25001
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_create_products_xml_result parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue
Source: CVE-2021-25001
CVE-2021-24964
The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.
Source: CVE-2021-24964
CVE-2021-25020
The CAOS | Host Google Analytics Locally WordPress plugin before 4.1.9 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin
Source: CVE-2021-25020
CVE-2021-25016
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
Source: CVE-2021-25016
CVE-2021-45917
The server-request receiver function of Shockwall system has an improper authentication vulnerability. An authenticated attacker of an agent computer within the local area network can use the local registry information to launch server-side request forgery (SSRF) attack on another agent computer, resulting in arbitrary code execution for controlling the system or disrupting service.
Source: CVE-2021-45917
CVE-2021-44158
ASUS RT-AX56U Wi-Fi Router is vulnerable to stack-based buffer overflow due to improper validation for httpd parameter length. An authenticated local area network attacker can launch arbitrary code execution to control the system or disrupt service.
Source: CVE-2021-44158
CVE-2021-45916
The programming function of Shockwall system has an improper input validation vulnerability. An authenticated attacker within the local area network can send malicious response to the server to disrupt the service partially.
Source: CVE-2021-45916