Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24756 - Before 1 Plugin
The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs.
PLUGIN
Before 1
CVE-2021-24756
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24836 - Before 1 Plugin
The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them
PLUGIN
Before 1
CVE-2021-24836
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24917 - Before 1 Plugin
The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
PLUGIN
Before 1
CVE-2021-24917
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25041 - Before 1 Plugin
The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action
PLUGIN
Before 1
CVE-2021-25041
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24938 - Before 1 Plugin
The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24938
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24718 - Before 1 Plugin
The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24718
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24908 - Before 1 Plugin
The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-24908
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24842 - Before 1 Plugin
The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.
PLUGIN
Before 1
CVE-2021-24842
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24751 - Before 1 Plugin
The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2021-24751
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24745 - Before 1 Plugin
The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2021-24745
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24811 - Before 1 Plugin
The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2021-24811
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2021-24749 - Before 1 Plugin
The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack.
PLUGIN
Before 1
CVE-2021-24749
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24894 - Before 1 Plugin
The Reviews Plus WordPress plugin before 1.2.14 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the post/page
PLUGIN
Before 1
CVE-2021-24894
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24873 - Before 1 Plugin
The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24873
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24882 - Before 1 Plugin
The Slideshow Gallery WordPress plugin before 1.7.4 does not sanitise and escape the Slide "Title", "Description", and Gallery "Title" fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2021-24882
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24641 - Before 1 Plugin
The Images to WebP WordPress plugin before 1.9 does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion
PLUGIN
Before 1
CVE-2021-24641
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24644 - Before 1 Plugin
The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue
PLUGIN
Before 1
CVE-2021-24644
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24703 - Before 1 Plugin
The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
PLUGIN
Before 1
CVE-2021-24703
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24812 - Before 1 Plugin
The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV.
PLUGIN
Before 1
CVE-2021-24812
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24729 - Before 1 Plugin
The Logo Showcase with Slick Slider WordPress plugin before 1.2.4 does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase.
PLUGIN
Before 1
CVE-2021-24729
Risk Score