Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-25075 - Before 1 Plugin
The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues
PLUGIN
Before 1
CVE-2021-25075
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0190 - Before 1 Plugin
The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.6 is affected by a SQL Injection in the id parameter of the delete action.
PLUGIN
Before 1
CVE-2022-0190
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0214 - Before 1 Plugin
The Custom Popup Builder WordPress plugin before 1.3.1 autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog
PLUGIN
Before 1
CVE-2022-0214
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0206 - Before 1 Plugin
The NewStatPress WordPress plugin before 1.3.6 does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PLUGIN
Before 1
CVE-2022-0206
Risk Score
Threat Entry
Updated 2025-04-15
CVE-2022-0176 - Before 1 Plugin
The PowerPack Lite for Beaver Builder WordPress plugin before 1.2.9.3 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-0176
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0200 - Before 1 Plugin
Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-0200
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25107 - Before 1 Plugin
The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin
PLUGIN
Before 1
CVE-2021-25107
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25033 - Before 1 Plugin
The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue
PLUGIN
Before 1
CVE-2021-25033
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25050 - Before 1 Plugin
The Remove Footer Credit WordPress plugin before 1.0.11 does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
PLUGIN
Before 1
CVE-2021-25050
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25110 - Before 1 Plugin
The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user's email address.
PLUGIN
Before 1
CVE-2021-25110
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25109 - Before 1 Plugin
The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link.
PLUGIN
Before 1
CVE-2021-25109
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24446 - Before 1 Plugin
The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation
PLUGIN
Before 1
CVE-2021-24446
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24904 - Before 1 Plugin
The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2021-24904
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25014 - Before 1 Plugin
The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue.
PLUGIN
Before 1
CVE-2021-25014
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25029 - Before 1 Plugin
The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-25029
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25004 - Before 1 Plugin
The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page.
PLUGIN
Before 1
CVE-2021-25004
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0220 - Before 1 Plugin
The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)
PLUGIN
Before 1
CVE-2022-0220
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25089 - Before 1 Plugin
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.69 does not sanitise and escape the updraft_restore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-25089
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25085 - Before 1 Plugin
The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-25085
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24983 - Before 1 Plugin
The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not sanitise and escape POSted parameters sent to the wpassetcleanup_fetch_active_plugins_icons AJAX action (available to admin users), leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24983
Risk Score