Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-24533

Summary
Assigner-WPScan
Assigner Org ID-1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At-23 Aug, 2021 | 11:10
Updated At-03 Aug, 2024 | 19:35
Rejected At-
Credits

Maintenance < 4.03 - Authenticated Stored XSS

The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WPScan
Assigner Org ID:1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81
Published At:23 Aug, 2021 | 11:10
Updated At:03 Aug, 2024 | 19:35
Rejected At:
▼CVE Numbering Authority (CNA)
Maintenance < 4.03 - Authenticated Stored XSS

The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend

Affected Products
Vendor
Unknown
Product
Maintenance
Versions
Affected
  • From 4.03 before 4.03 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Emil kylander
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/174b2119-b806-4da4-a23d-c19b552c86cb
x_refsource_MISC
Hyperlink: https://wpscan.com/vulnerability/174b2119-b806-4da4-a23d-c19b552c86cb
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://wpscan.com/vulnerability/174b2119-b806-4da4-a23d-c19b552c86cb
x_refsource_MISC
x_transferred
Hyperlink: https://wpscan.com/vulnerability/174b2119-b806-4da4-a23d-c19b552c86cb
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:contact@wpscan.com
Published At:23 Aug, 2021 | 12:15
Updated At:26 Aug, 2021 | 18:50

The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
webfactoryltd
webfactoryltd
>>maintenance>>Versions before 4.03(exclusive)
cpe:2.3:a:webfactoryltd:maintenance:*:*:*:*:*:wordpress:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE-79Secondarycontact@wpscan.com
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-79
Type: Secondary
Source: contact@wpscan.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://wpscan.com/vulnerability/174b2119-b806-4da4-a23d-c19b552c86cbcontact@wpscan.com
Exploit
Third Party Advisory
Hyperlink: https://wpscan.com/vulnerability/174b2119-b806-4da4-a23d-c19b552c86cb
Source: contact@wpscan.com
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

8714Records found
CVE-2021-24760
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-18 Oct, 2021 | 13:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gutenberg PDF Viewer Block < 1.0.1 - Contributor+ Stored Cross-Site Scripting

The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

Action-Not Available
Vendor-pdf_viewer_block_for_gutenberg_projectUnknown
Product-pdf_viewer_block_for_gutenbergGutenberg PDF Viewer Block
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24658
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 11:10
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Erident Custom Login and Dashboard < 3.5.9 - Authenticated Stored Cross-Site Scripting (XSS)

The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled)

Action-Not Available
Vendor-erident_custom_login_and_dashboard_projectLibin V Babu
Product-erident_custom_login_and_dashboardErident Custom Login and Dashboard
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25105
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 45.11%
||
7 Day CHG~0.00%
Published-07 Feb, 2022 | 15:47
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ivory Search < 5.4.1 - Multiple Admin+ Stored Cross-Site Scripting

The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-ivorysearchUnknown
Product-ivory_searchIvory Search – WordPress Search Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25048
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.32% / 55.34%
||
7 Day CHG~0.00%
Published-04 Apr, 2022 | 15:35
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KingComposer <= 2.9.6 - Subscriber+ Stored Cross-Site Scripting

The KingComposer WordPress plugin through 2.9.6 does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them

Action-Not Available
Vendor-king-themeUnknown
Product-kingcomposerPage Builder: KingComposer – Free Drag and Drop page builder by King-Theme
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24478
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bookshelf <= 2.0.4 - Authenticated Stored Cross-Site Scripting (XSS)

The Bookshelf WordPress plugin through 2.0.4 does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue

Action-Not Available
Vendor-bookshelf_projectUnknown
Product-bookshelfBookshelf
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24690
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chained Quiz < 1.2.7.2 - Authenticated Stored Cross Site Scripting

The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings.

Action-Not Available
Vendor-kibokolabsUnknown
Product-chained_quizChained Quiz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24713
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-23 Nov, 2021 | 19:16
Updated-23 Jan, 2026 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Video Lessons Manager - Admin+ Stored Cross-Site Scripting

The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks

Action-Not Available
Vendor-cmindsTODO
Product-video_lessons_manager_provideo_lessons_managerVideo Lessons Manager – Best Video Course LMSVideo Lessons Manager Pro – Best Video Course LMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24904
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-3.03% / 86.81%
||
7 Day CHG~0.00%
Published-14 Feb, 2022 | 09:20
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mortgage Calculators WP < 1.56 - Admin+ Stored Cross-Site Scripting

The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-lenderdUnknown
Product-mortgage_calculators_wpMortgage Calculators WP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24716
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Modern Events Calendar Lite < 5.22.3 - Authenticated Stored Cross Site Scripting

The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.

Action-Not Available
Vendor-webnusUnknown
Product-modern_events_calendar_liteModern Events Calendar Lite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24561
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.36% / 58.07%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 11:10
Updated-17 Dec, 2024 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP SMS < 5.4.13 - Authenticated Stored Cross-Site Scripting

The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue

Action-Not Available
Vendor-veronalabsUnknown
Product-wp_smsWP SMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24681
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.13% / 31.37%
||
7 Day CHG-0.17%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Duplicate Page <= 4.4.2 - Admin+ Stored Cross-Site Scripting

The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-duplicateproUnknown
Product-duplicate_pageDuplicate Page
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24523
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-13 Sep, 2021 | 17:56
Updated-04 Oct, 2024 | 12:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Daily Prayer Time < 2021.08.10 - Authenticated Stored XSS

The Daily Prayer Time WordPress plugin before 2021.08.10 does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues.

Action-Not Available
Vendor-mmrs151Unknown
Product-daily_prayer_timeDaily Prayer Time
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24686
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 12:21
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SVG Support < 2.3.20 - Admin+ Stored Cross-Site Scripting

The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-benbodhin/a
Product-svg_supportn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24812
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-23 Nov, 2021 | 19:16
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting

The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV.

Action-Not Available
Vendor-UnknownWPDeveloper
Product-betterlinksBetterLinks – Shorten, Track and Manage any URL
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24813
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Events Made Easy < 2.2.24 - Admin+ Stored Cross-Site Scripting

The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-e-dynamicsUnknown
Product-events_made_easyEvents Made Easy
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24737
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Comments - wpDiscuz <= 7.3.0 - Admin+ Stored Cross-Site Scripting

The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-gvectorsUnknown
Product-wpdiscuzComments – wpDiscuz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24720
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.51% / 66.79%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GeoDirectory < 2.1.1.3 - Authenticated Stored Cross-Site Scripting (XSS)

The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS).

Action-Not Available
Vendor-ayecodeUnknown
Product-geodirectoryBusiness Directory Plugin | GeoDirectory
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24822
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 40.38%
||
7 Day CHG+0.04%
Published-29 Nov, 2021 | 08:25
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stylish Cost Calculator < 7.04 - Subscriber+ Unauthorised AJAX Calls to Stored XSS

The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters

Action-Not Available
Vendor-stylishcostcalculatorUnknown
Product-stylish_cost_calculatorStylish Cost Calculator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24671
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-27 Sep, 2021 | 15:25
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MX Time Zone Clocks < 3.4.1 - Contributor+ Cross-Site Scripting

The MX Time Zone Clocks WordPress plugin before 3.4.1 does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Action-Not Available
Vendor-mx_time_zone_clocks_projectUnknown
Product-mx_time_zone_clocksMX Time Zone Clocks
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-20479
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.12% / 31.11%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 16:43
Updated-23 Aug, 2024 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have Admin privileges on an affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco Identity Services Engine Software
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24576
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Accordion < 2.0.22 - Authenticated Stored XSS

The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion.

Action-Not Available
Vendor-techeartyUnknown
Product-easy_accordionEasy Accordion – Best Accordion FAQ Plugin for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24702
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-18 Oct, 2021 | 13:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress < 4.1.3.1 - Multiple Admin+ Stored Cross-Site Scripting

The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed

Action-Not Available
Vendor-UnknownThimPress (PhysCode)
Product-learnpressLearnPress – WordPress LMS Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24530
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-20 Sep, 2021 | 10:06
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alojapro Widget <= 1.1.15 - Authenticated Stored Cross-Site Scripting (XSS)

The Alojapro Widget WordPress plugin through 1.1.15 doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-alojaproUnknown
Product-alojapro_widgetAlojapro Widget
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24699
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:20
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Media Download < 1.1.7 - Contributor+ Stored Cross-Site Scripting

The Easy Media Download WordPress plugin before 1.1.7 does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.

Action-Not Available
Vendor-easy_media_download_projectUnknown
Product-easy_media_downloadEasy Media Download
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24811
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-29 Nov, 2021 | 08:25
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shop Page WP < 1.2.8 - Admin+ Stored Cross-Site Scripting

The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-shoppagewpUnknown
Product-shop_page_wpShop Page WP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24587
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-20 Sep, 2021 | 10:06
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Splash Header < 1.20.8 - Authenticated Stored Cross-Site Scripting (XSS)

The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue.

Action-Not Available
Vendor-zeeswebUnknown
Product-splash_headerSplash Header
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-25067
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-8.06% / 92.21%
||
7 Day CHG~0.00%
Published-17 Jan, 2022 | 13:00
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Landing Page Builder < 1.4.9.6 - Authenticated Reflected Cross-Site Scripting (XSS)

The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page.

Action-Not Available
Vendor-pluginopsUnknown
Product-landing_pageLanding Page Builder – Lead Page – Optin Page – Squeeze Page – WordPress Landing Pages
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24526
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 10:48
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Form Maker < 1.13.60 - Authenticated Stored XSS

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

Action-Not Available
Vendor-Unknown10Web (TenWeb, Inc.)
Product-form_makerForm Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24903
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-28 Feb, 2022 | 09:06
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GRAND FlaGallery <= 6.1.2 - Admin+ Stored Cross-Site Scripting

The GRAND FlaGallery WordPress plugin through 6.1.2 does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-codeasilyUnknown
Product-grand_flagalleryAlbum and Image Gallery with Lightbox – Flagallery Photo Portfolio
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24516
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.42% / 62.11%
||
7 Day CHG~0.00%
Published-18 Oct, 2021 | 13:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PlanSo Forms <= 2.6.3 - Authenticated Stored Cross-Site Scripting

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.

Action-Not Available
Vendor-plansoUnknown
Product-planso_formsPlanSo Forms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24547
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 11:10
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KN Fix Your Title <= 1.0.1 - Authenticated Stored XSS

The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field.

Action-Not Available
Vendor-kn_fix_your_title_projectUnknown
Product-kn_fix_your_titleKN Fix Your Title
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24571
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-23 Aug, 2021 | 11:10
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HD Quiz < 1.8.4 - Authenticated Stored XSS

The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues

Action-Not Available
Vendor-harmonicdesignUnknown
Product-hd_quizHD Quiz
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24665
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 14:11
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Video Lightbox < 1.9.3 - Contributor+ Stored Cross-Site Scripting

The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks

Action-Not Available
Vendor-UnknownTips and Tricks HQ
Product-wp_video_lightboxWP Video Lightbox
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24992
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-27 Dec, 2021 | 10:33
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Buttonizer - Smart Floating Action Button < 2.5.5 - Admin+ Stored Cross-Site Scripting

The Smart Floating / Sticky Buttons WordPress plugin before 2.5.5 does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-buttonizerUnknown
Product-buttonizerSmart Floating / Sticky Buttons – Call, Sharing, Chat Widgets & More – Buttonizer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24817
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:40
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ultimate NoFollow <= 1.4.8 - Contributor+ Stored Cross-Site Scripting

The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks

Action-Not Available
Vendor-ultimate_nofollow_projectUnknown
Product-ultimate_nofollowUltimate Nofollow
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24637
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.39%
||
7 Day CHG~0.00%
Published-20 Sep, 2021 | 10:06
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fonts Plugin < 3.0.3 - Contributor+ Stored Cross-Site Scripting

The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.

Action-Not Available
Vendor-fontspluginUnknown
Product-fontsFonts Plugin | Google Fonts Typography
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24810
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 08:16
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Event Manager < 3.1.23 - Admin+ Stored Cross-Site Scripting

The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-wp-eventmanagerUnknown
Product-wp_event_managerWP Event Manager – Easily Build your Calendar of Events!
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24712
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 47.93%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS

The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.

Action-Not Available
Vendor-UnknownCodePeople
Product-appointment_hour_bookingAppointment Hour Booking – WordPress Booking Plugin
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24899
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-29 Nov, 2021 | 08:25
Updated-03 Aug, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Media-Tags <= 3.2.0.2 - Admin+ Stored Cross-Site Scripting

The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_htnl capability is disallowed.

Action-Not Available
Vendor-media-tags_projectUnknown
Product-media-tagsMedia Tags
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24793
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPeMatico RSS Feed Fetcher < 2.6.12 - Admin+ Stored Cross-Site Scripting

The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-etruelUnknown
Product-wpematico_rss_feed_fetcherWPeMatico RSS Feed Fetcher
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24577
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coming Soon and Maintenance Mode < 3.5.3 - Authenticated Stored XSS

The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.

Action-Not Available
Vendor-UnknownWpDevArt
Product-coming_soon_and_maintenance_modeComing soon and Maintenance mode
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24608
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:20
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Formidable Form Builder < 5.0.07 - Admin+ Stored Cross-Site Scripting

The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-UnknownStrategy11
Product-formidable_form_builderFormidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24828
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.22%
||
7 Day CHG~0.00%
Published-03 Jan, 2022 | 12:49
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mortgage Calculator / Loan Calculator < 1.5.17 - Contributor+ Stored Cross-Site Scripting

The Mortgage Calculator / Loan Calculator WordPress plugin before 1.5.17 does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

Action-Not Available
Vendor-mlcalcUnknown
Product-mortgage_calculator\/loan_calculatorMortgage Calculator / Loan Calculator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24785
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-25 Oct, 2021 | 13:20
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Great Quotes <= 1.0.0 - Admin+ Stored Cross-Site Scripting

The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

Action-Not Available
Vendor-great-quotes_projectUnknown
Product-great-quotesGreat Quotes
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-24344
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.01% / 0.29%
||
7 Day CHG~0.00%
Published-25 Feb, 2022 | 14:35
Updated-03 Aug, 2024 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24594
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-08 Nov, 2021 | 17:34
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Translate WordPress - Google Language Translator < 6.0.12 - Admin+ Stored Cross-Site Scripting

The Translate WordPress – Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-gtranslateUnknown
Product-google_language_translatorTranslate WordPress – Google Language Translator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24622
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.22% / 45.11%
||
7 Day CHG~0.00%
Published-18 Oct, 2021 | 13:45
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Ticket < 5.10.4 - Admin+ Stored Cross-Site Scripting

The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Action-Not Available
Vendor-emarketdesignUnknown
Product-customer_service_software_\&_support_ticket_systemCustomer Service Software & Support Ticket System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24773
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.21% / 42.72%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-21 Mar, 2025 | 16:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Download Manager < 3.2.16 - Admin+ Stored Cross-Site Scripting

The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-UnknownW3 Eden, Inc.WordPress Download Manager Pro
Product-download_managerWordPress Download Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24830
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.8||MEDIUM
EPSS-0.28% / 51.62%
||
7 Day CHG~0.00%
Published-23 Nov, 2021 | 19:16
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advanced Access Manager < 6.8.0 - Admin+ Stored Cross-Site Scripting

The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Action-Not Available
Vendor-vasyltechUnknown
Product-advanced_access_managerAdvanced Access Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24476
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.37% / 58.83%
||
7 Day CHG~0.00%
Published-02 Aug, 2021 | 10:32
Updated-03 Aug, 2024 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Steam Group Viewer <= 2.1 - Authenticated Stored Cross-Site Scripting (XSS)

The Steam Group Viewer WordPress plugin through 2.1 does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue

Action-Not Available
Vendor-steam_group_viewer_projectUnknown
Product-steam_group_viewerSteam Group Viewer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 174
  • 175
  • Next
Details not found