Vulnerabilities
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-03-18 | CVE-2021-27306 | Use of Incorrectly-Resolved Name or Reference vulnerability in Konghq Kong Gateway An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT. | 7.5 |
2021-03-18 | CVE-2021-26935 | SQL Injection vulnerability in Wowonder In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter. | 5.0 |
2021-03-18 | CVE-2021-24149 | SQL Injection vulnerability in Webnus Modern Events Calendar Lite Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. | 6.5 |
2021-03-18 | CVE-2021-24148 | Improper Authentication vulnerability in Inspireui Mstore API A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address. | 10.0 |
2021-03-18 | CVE-2021-24147 | Cross-site Scripting vulnerability in Webnus Modern Events Calendar Lite Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. | 3.5 |
2021-03-18 | CVE-2021-24146 | Missing Authorization vulnerability in Webnus Modern Events Calendar Lite Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. | 5.0 |
2021-03-18 | CVE-2021-24145 | Unrestricted Upload of File with Dangerous Type vulnerability in Webnus Modern Events Calendar Lite Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. | 6.5 |
2021-03-18 | CVE-2021-24144 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Ciphercoin Contact Form 7 Database Addon Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. | 7.8 |
2021-03-18 | CVE-2021-24143 | SQL Injection vulnerability in Accesspressthemes Accesspress Social Icons Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. | 6.5 |
2021-03-18 | CVE-2021-24142 | SQL Injection vulnerability in Webfactoryltd 301 Redirects Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. | 7.2 |