Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24762 - Before 1 Plugin
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
PLUGIN
Before 1
CVE-2021-24762
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24814 - Before 1 Plugin
The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same…
PLUGIN
Before 1
CVE-2021-24814
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24763 - Before 1 Plugin
The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey
PLUGIN
Before 1
CVE-2021-24763
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24761 - Before 1 Plugin
The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server.
PLUGIN
Before 1
CVE-2021-24761
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24937 - Before 1 Plugin
The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24937
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24926 - Before 1 Plugin
The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24926
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24764 - Before 1 Plugin
The Perfect Survey WordPress plugin before 1.5.2 does not sanitise and escape multiple parameters (id and filters[session_id] of single_statistics page, type and message of importexport page) before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues
PLUGIN
Before 1
CVE-2021-24764
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24775 - Before 1 Plugin
The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.
PLUGIN
Before 1
CVE-2021-24775
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24868 - Before 1 Plugin
The Document Embedder WordPress plugin before 1.7.9 contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts.
PLUGIN
Before 1
CVE-2021-24868
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25073 - Before 1 Plugin
The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Before 1
CVE-2021-25073
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25045 - Before 1 Plugin
The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue
PLUGIN
Before 1
CVE-2021-25045
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25013 - Before 1 Plugin
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
PLUGIN
Before 1
CVE-2021-25013
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24989 - Before 1 Plugin
The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog
PLUGIN
Before 1
CVE-2021-24989
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25080 - Before 1 Plugin
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
PLUGIN
Before 1
CVE-2021-25080
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25079 - Before 1 Plugin
The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
PLUGIN
Before 1
CVE-2021-25079
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25062 - Before 1 Plugin
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-25062
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25035 - Before 1 Plugin
The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-25035
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25017 - Before 1 Plugin
The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-25017
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25049 - Before 1 Plugin
The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-25049
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24858 - Before 1 Plugin
The Cookie Notification Plugin for WordPress plugin before 1.0.9 does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection
PLUGIN
Before 1
CVE-2021-24858
Risk Score