Total
18621 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24451 | 1 Export Users With Meta Project | 1 Export Users With Meta | 2024-11-21 | 7.2 High |
| The Export Users With Meta WordPress plugin before 0.6.5 did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. | ||||
| CVE-2021-24442 | 1 Wpdevart | 1 Poll\, Survey\, Questionnaire And Voting System | 2024-11-21 | 9.8 Critical |
| The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks | ||||
| CVE-2021-24404 | 1 Wp-board Project | 1 Wp-board | 2024-11-21 | 8.8 High |
| The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice. | ||||
| CVE-2021-24403 | 1 Wpagecontact Project | 1 Wpagecontact | 2024-11-21 | 7.2 High |
| The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | ||||
| CVE-2021-24402 | 1 Solvercircle | 1 Wp Icommerce | 2024-11-21 | 7.2 High |
| The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | ||||
| CVE-2021-24401 | 1 Wp-domain-redirect Project | 1 Wp-domain-redirect | 2024-11-21 | 7.2 High |
| The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24400 | 1 Wp-display-users Project | 1 Wp-display-users | 2024-11-21 | 7.2 High |
| The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24399 | 1 Ombu | 1 The Sorter | 2024-11-21 | 7.2 High |
| The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24398 | 1 Webpsilon | 1 Responsive 3d Slider | 2024-11-21 | 7.2 High |
| The Add new scene functionality in the Responsive 3D Slider WordPress plugin through 1.2 uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query is ran twice. | ||||
| CVE-2021-24397 | 1 Activemedia | 1 Microcopy | 2024-11-21 | 7.2 High |
| The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24396 | 1 Bestiaweb | 1 Gseor | 2024-11-21 | 7.2 High |
| A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24395 | 1 Geekwebsolution | 1 Embed Youtube Video | 2024-11-21 | 7.2 High |
| The editid GET parameter of the Embed Youtube Video WordPress plugin through 1.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24394 | 1 Easy Testimonial Manager Project | 1 Easy Testimonial Manager | 2024-11-21 | 7.2 High |
| An id GET parameter of the Easy Testimonial Manager WordPress plugin through 1.2.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection | ||||
| CVE-2021-24393 | 1 Comment Highlighter Project | 1 Comment Highlighter | 2024-11-21 | 7.2 High |
| A c GET parameter of the Comment Highlighter WordPress plugin through 0.13 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24392 | 1 Swiftcrm | 1 Club-management-software | 2024-11-21 | 7.2 High |
| An id GET parameter of the WordPress Membership SwiftCloud.io WordPress plugin through 1.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24391 | 1 Cashtomer Project | 1 Cashtomer | 2024-11-21 | 8.8 High |
| An editid GET parameter of the Cashtomer WordPress plugin through 1.0.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | ||||
| CVE-2021-24390 | 1 Alipay Project | 1 Alipay | 2024-11-21 | 7.2 High |
| A proid GET parameter of the WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件 WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection. | ||||
| CVE-2021-24385 | 1 Ninjateam | 1 Filebird | 2024-11-21 | 9.8 Critical |
| The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user. | ||||
| CVE-2021-24361 | 1 Ayecode | 1 Location Manager | 2024-11-21 | 9.8 Critical |
| In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues. | ||||
| CVE-2021-24360 | 1 Kohsei-works | 1 Yes\/no Chart | 2024-11-21 | 6.5 Medium |
| The Yes/No Chart WordPress plugin before 1.0.12 did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users (contributor+) to perform Blind SQL Injection attacks | ||||