Filtered by vendor Tipsandtricks-hq
Subscribe
Total
43 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-24560 | 1 Tipsandtricks-hq | 1 Software License Manager | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | |||||
CVE-2021-24698 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
The Simple Download Monitor WordPress plugin before 3.9.6 allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download. | |||||
CVE-2021-24696 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads | |||||
CVE-2021-24711 | 1 Tipsandtricks-hq | 1 Software License Manager | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack | |||||
CVE-2021-24693 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2023-12-10 | 6.0 MEDIUM | 9.0 CRITICAL |
The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin | |||||
CVE-2021-24697 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
CVE-2021-24734 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | |||||
CVE-2021-24694 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode. | |||||
CVE-2021-20782 | 1 Tipsandtricks-hq | 1 Software License Manager | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
CVE-2021-24665 | 1 Tipsandtricks-hq | 1 Wp Video Lightbox | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
CVE-2020-5650 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | |||||
CVE-2020-5651 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL. | |||||
CVE-2020-29171 | 1 Tipsandtricks-hq | 1 Wp Security \& Firewall | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in admin/wp-security-blacklist-menu.php in the Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) plugin before 4.4.6 for WordPress. | |||||
CVE-2016-10868 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The all-in-one-wp-security-and-firewall plugin before 4.0.5 for WordPress has XSS in the blacklist, file system, and file change detection settings pages. | |||||
CVE-2015-9310 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues. | |||||
CVE-2019-5993 | 1 Tipsandtricks-hq | 1 Category Specific Rss Feed Subscription | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Cross-site request forgery (CSRF) vulnerability in Category Specific RSS feed Subscription version v2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | |||||
CVE-2016-10888 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues. | |||||
CVE-2015-9294 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances. | |||||
CVE-2015-9293 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature. | |||||
CVE-2016-10887 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues. |