Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-03-18 | CVE-2021-24137 | SQL Injection vulnerability in Adenion Blog2Social Unvalidated input in the Blog2Social WordPress plugin, versions before 6.3.1, lead to SQL Injection in the Re-Share Posts feature, allowing authenticated users to inject arbitrary SQL commands. | 6.5 |
| 2021-03-18 | CVE-2021-24136 | Cross-site Scripting vulnerability in Axelerant Testimonials Widget Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL | 3.5 |
| 2021-03-18 | CVE-2021-24135 | Cross-site Scripting vulnerability in Gowebsolutions WP Customer Reviews Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote attackers to inject arbitrary JavaScript code or HTML. | 4.3 |
| 2021-03-18 | CVE-2021-24134 | Cross-site Scripting vulnerability in Constantcontact Constant Contact Forms Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed. | 3.5 |
| 2021-03-18 | CVE-2021-24133 | Cross-Site Request Forgery (CSRF) vulnerability in Activecampaign Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. | 4.3 |
| 2021-03-18 | CVE-2021-24132 | SQL Injection vulnerability in 10Web Slider The Slider by 10Web WordPress plugin, versions before 1.2.36, in the bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks. | 6.5 |
| 2021-03-18 | CVE-2021-24131 | SQL Injection vulnerability in Cleantalk Anti-Spam Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+). | 6.5 |
| 2021-03-18 | CVE-2021-24130 | SQL Injection vulnerability in Flippercode WP Google MAP Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+). | 6.5 |
| 2021-03-18 | CVE-2021-24129 | Cross-site Scripting vulnerability in Themify Portfolio Post Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation. | 3.5 |
| 2021-03-18 | CVE-2021-24128 | Cross-site Scripting vulnerability in Wpdarko Team Members Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member. | 3.5 |