Security Vulnerabilities - CVEs Published In 2021
The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-06
The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue
CVSS Score
6.1
EPSS Score
0.003
Published
2021-12-06
The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue
CVSS Score
6.1
EPSS Score
0.002
Published
2021-12-06
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
CVSS Score
9.8
EPSS Score
0.554
Published
2021-12-06
The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action
CVSS Score
6.1
EPSS Score
0.001
Published
2021-12-06
The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.
CVSS Score
4.8
EPSS Score
0.002
Published
2021-12-06
The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVSS Score
4.8
EPSS Score
0.002
Published
2021-12-06
The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks
CVSS Score
5.4
EPSS Score
0.002
Published
2021-12-06
In Canon LBP223 printers, the System Manager Mode login does not require an account password or PIN. An attacker can remotely shut down the device after entering the background, creating a denial of service vulnerability.
CVSS Score
7.5
EPSS Score
0.003
Published
2021-12-06
VINGA WR-N300U 77.102.1.4853 is affected by a command execution vulnerability in the goahead component.
CVSS Score
8.8
EPSS Score
0.094
Published
2021-12-06