CVE-2022-3209

The soledad WordPress theme before 8.2.5 does not sanitise the id,datafiltertype,... parameters in its pencimoreslistpostajax AJAX action, leading to a Reflected Cross-Site Scripting XSS vulnerability...

CVE-2022-2167

The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting...

CVE-2022-1424

The Ask me WordPress theme before 6.8.2 does not perform CSRF checks for any of its AJAX actions, allowing an attacker to trick logged in users to perform various actions on their behalf on the site...

CVE-2021-24840

The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request...

CVE-2021-24321

The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the btbblistingfieldpricerangeto, btbblistingfieldnowopen, btbblistingfieldmylng, listinglistview and btbblistingfieldmylat parameters before using them in a SQL statement, leading to SQL Injection issues...

CVE-2021-24335

The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue...

CVE-2021-24375

Lack of authentication or validation in motorloadmore, motorgalleryloadmore, motorquickview and motorprojectquickview AJAX handlers of the Motor WordPress theme before 3.1.0 allows an unauthenticated attacker access to arbitrary files in the server file system, and to execute arbitrary php script...

CVE-2021-24319

The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise its postexcerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue...

CVE-2021-24719

The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting XSS. The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder...

CVE-2021-24499

The Workreap WordPress theme before 2.2.2 AJAX actions workreapawardtempfileuploader and workreaptempfileuploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp...

CVE-2021-24500

Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially...

CVE-2021-24472

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF Server...

CVE-2021-24407

The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action, leading to a Reflected Cross-site Scripting XSS vulnerability...

CVE-2021-24387

The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ctcommunity parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context...

CVE-2021-24342

The JNews WordPress theme before 8.0.6 did not sanitise the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory, leading to a Reflected Cross-Site Scripting XSS issue...

CVE-2021-24314

The Goto WordPress theme before 2.1 did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue...

CVE-2021-24317

The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues...

CVE-2021-24316

The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's 's' GET parameter before output it back the page, leading to the Cross-SIte Scripting issue...

CVE-2021-24297

The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tlfilter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting XSS vulnerability...

CVE-2021-24235

The Goto WordPress theme before 2.0 does not sanitise the keywords and startdate GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue...