Security Vulnerabilities - CVEs Published In October 2021
The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-10-18
The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.
CVSS Score
4.8
EPSS Score
0.002
Published
2021-10-18
The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVSS Score
4.8
EPSS Score
0.002
Published
2021-10-18
The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-18
The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-18
The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-18
The Polo Video Gallery – Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-18
The StreamCast – Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-18
A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-10-18
An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.
CVSS Score
8.8
EPSS Score
0.755
Published
2021-10-18