Filtered by vendor Tipsandtricks-hq
Subscriptions
Total
43 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24694 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2022-01-27 | 5.4 Medium |
| The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode. | ||||
| CVE-2021-24697 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2021-11-11 | 6.1 Medium |
| The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-24698 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2021-11-11 | 4.3 Medium |
| The Simple Download Monitor WordPress plugin before 3.9.6 allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download. | ||||
| CVE-2021-24693 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2021-11-10 | 9.0 Critical |
| The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin | ||||
| CVE-2021-24799 | 1 Tipsandtricks-hq | 1 Far Future Expiry Header | 2021-11-02 | 4.3 Medium |
| The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | ||||
| CVE-2021-24735 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2021-10-22 | 6.5 Medium |
| The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack. | ||||
| CVE-2021-24734 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2021-10-21 | 5.4 Medium |
| The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2021-24711 | 1 Tipsandtricks-hq | 1 Software License Manager | 2021-10-15 | 8.8 High |
| The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack | ||||
| CVE-2021-24560 | 1 Tipsandtricks-hq | 1 Software License Manager | 2021-09-23 | 6.1 Medium |
| The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24665 | 1 Tipsandtricks-hq | 1 Wp Video Lightbox | 2021-09-02 | 5.4 Medium |
| The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks | ||||
| CVE-2021-20782 | 1 Tipsandtricks-hq | 1 Software License Manager | 2021-07-15 | 8.8 High |
| Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors. | ||||
| CVE-2020-29171 | 1 Tipsandtricks-hq | 1 Wp Security \& Firewall | 2021-02-11 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in admin/wp-security-blacklist-menu.php in the Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) plugin before 4.4.6 for WordPress. | ||||
| CVE-2020-5650 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2020-10-27 | 6.1 Medium |
| Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. | ||||
| CVE-2020-5651 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2020-10-27 | 8.8 High |
| SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL. | ||||
| CVE-2019-5993 | 1 Tipsandtricks-hq | 1 Category Specific Rss Feed Subscription | 2019-09-16 | 8.8 High |
| Cross-site request forgery (CSRF) vulnerability in Category Specific RSS feed Subscription version v2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | ||||
| CVE-2015-9310 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2019-08-19 | N/A |
| The all-in-one-wp-security-and-firewall plugin before 3.9.1 for WordPress has multiple SQL injection issues. | ||||
| CVE-2016-10888 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2019-08-19 | N/A |
| The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues. | ||||
| CVE-2016-10887 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2019-08-19 | N/A |
| The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues. | ||||
| CVE-2015-9293 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2019-08-16 | N/A |
| The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature. | ||||
| CVE-2015-9294 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2019-08-16 | N/A |
| The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances. | ||||