Category Archives: Advisories

CVE-2021-24826

Read Time:22 Second

The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won’t be when the unfiltered_html is disallowed)

Read More

CVE-2021-24952

Read Time:14 Second

The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks.

Read More

CVE-2021-24216

Read Time:9 Second

The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files’ extension, which allows administrators to upload PHP files on their site, even on multisite installations.

Read More

CVE-2021-24777

Read Time:12 Second

The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.

Read More

CVE-2021-24778

Read Time:10 Second

The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

Read More

CVE-2021-24810

Read Time:12 Second

The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Read More