Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-11 | CVE-2021-40541 | Cross-site Scripting vulnerability in PHP-Fusion PHPfusion 9.03.110 PHPFusion 9.03.110 is affected by cross-site scripting (XSS) in the preg patterns filter html tag without "//" in descript() function An authenticated user can trigger XSS by appending "//" in the end of text. | 4.3 |
| 2021-10-11 | CVE-2021-24545 | Cross-site Scripting vulnerability in WP Html Author BIO Project WP Html Author BIO The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. | 3.5 |
| 2021-10-11 | CVE-2021-24546 | Code Injection vulnerability in Extendify Editorskit The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code | 6.5 |
| 2021-10-11 | CVE-2021-24563 | The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly network CWE-79 | 4.3 |
| 2021-10-11 | CVE-2021-24577 | Cross-site Scripting vulnerability in Wpdevart Coming Soon and Maintenance Mode The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. | 3.5 |
| 2021-10-11 | CVE-2021-24656 | Cross-site Scripting vulnerability in Wpbrigade Simple Social Buttons The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
| 2021-10-11 | CVE-2021-24681 | Cross-site Scripting vulnerability in Duplicatepro Duplicate Page The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | 3.5 |
| 2021-10-11 | CVE-2021-24690 | Cross-site Scripting vulnerability in Kibokolabs Chained Quiz The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings. | 3.5 |
| 2021-10-11 | CVE-2021-24691 | Cross-site Scripting vulnerability in Expresstech Quiz and Survey Master The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 3.5 |
| 2021-10-11 | CVE-2021-24709 | Cross-site Scripting vulnerability in Awplife Weather Effect The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues | 3.5 |