Total
8157 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24836 | 1 Storeapps | 1 Temporary Login Without Password | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them | |||||
| CVE-2021-24832 | 1 Wp Seo Redirect 301 Project | 1 Wp Seo Redirect 301 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP SEO Redirect 301 WordPress plugin before 2.3.2 does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2021-24823 | 1 Schiocco | 1 Support Board | 2024-11-21 | 4.9 MEDIUM | 8.1 HIGH |
| The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files | |||||
| CVE-2021-24822 | 1 Stylishcostcalculator | 1 Stylish Cost Calculator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters | |||||
| CVE-2021-24818 | 1 Wp Limits Project | 1 Wp Limits | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values | |||||
| CVE-2021-24809 | 1 Wordplus | 1 Better Messages | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions | |||||
| CVE-2021-24806 | 1 Gvectors | 1 Wpdiscuz | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment. | |||||
| CVE-2021-24805 | 1 Designwall | 1 Dw Question \& Answer | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The DW Question & Answer Pro WordPress plugin through 1.3.4 does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status. | |||||
| CVE-2021-24804 | 1 Simple Jwt Login Project | 1 Simple Jwt Login | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. | |||||
| CVE-2021-24803 | 1 Core Tweaks Wp Setup Project | 1 Core Tweaks Wp Setup | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks | |||||
| CVE-2021-24802 | 1 Gesundheit-bewegt | 1 Colorful Categories | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack | |||||
| CVE-2021-24801 | 1 Wp Survey Plus Project | 1 Wp Survey Plus | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24799 | 1 Tipsandtricks-hq | 1 Far Future Expiry Header | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2021-24795 | 1 Phoeniixx | 1 Filter Portfolio Gallery | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery. | |||||
| CVE-2021-24790 | 1 Contact Form Advanced Database Project | 1 Contact Form Advanced Database | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated. | |||||
| CVE-2021-24784 | 1 Wp Admin Logo Changer Project | 1 Wp Admin Logo Changer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. | |||||
| CVE-2021-24780 | 1 Single Post Exporter Project | 1 Single Post Exporter | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able to export an arbitrary post/page (such as private and password protected) via a direct URL | |||||
| CVE-2021-24779 | 1 Wp Debugging Project | 1 Wp Debugging | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users. | |||||
| CVE-2021-24776 | 1 Wp Performance Score Booster Project | 1 Wp Performance Score Booster | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Performance Score Booster WordPress plugin before 2.1 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2021-24767 | 1 Fullworks | 1 Redirect 404 Error Page To Homepage Or Custom Page With Logs | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack | |||||