CVE-2021-24977
The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users…
The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users…
The Yoast SEO WordPress plugin before 17.3 discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help…
The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to…
The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary…
The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a…
The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX…
The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not…
The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which…
The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a…
The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX…