Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-23
CVE-2021-24713 - Before 1 Plugin
The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks
PLUGIN
Before 1
CVE-2021-24713
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24700 - Before 1 Plugin
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2021-24700
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24668 - Before 1 Plugin
The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack
PLUGIN
Before 1
CVE-2021-24668
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24854 - Before 1 Plugin
The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2021-24854
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24856 - Before 1 Plugin
The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24856
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24815 - Before 1 Plugin
The Accept Donations with PayPal WordPress plugin before 1.3.2 does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2021-24815
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24853 - Before 1 Plugin
The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects
PLUGIN
Before 1
CVE-2021-24853
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24796 - Before 1 Plugin
The My Tickets WordPress plugin before 1.8.31 does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins
PLUGIN
Before 1
CVE-2021-24796
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24598 - Before 1 Plugin
The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24598
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24827 - Before 1 Plugin
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue
PLUGIN
Before 1
CVE-2021-24827
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24791 - Before 1 Plugin
The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections
PLUGIN
Before 1
CVE-2021-24791
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2021-24767 - Before 1 Plugin
The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack
PLUGIN
Before 1
CVE-2021-24767
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24708 - Before 1 Plugin
The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24708
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24669 - Before 1 Plugin
The MAZ Loader – Preloader Builder for WordPress plugin before 1.3.3 does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection.
PLUGIN
Before 1
CVE-2021-24669
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24646 - Before 1 Plugin
The Booking.com Banner Creator WordPress plugin before 1.4.3 does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24646
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24645 - Before 1 Plugin
The Booking.com Product Helper WordPress plugin before 1.0.2 does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24645
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24616 - Before 1 Plugin
The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2021-24616
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24809 - Before 1 Plugin
The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions
PLUGIN
Before 1
CVE-2021-24809
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24742 - Before 1 Plugin
The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check.
PLUGIN
Before 1
CVE-2021-24742
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24808 - Before 1 Plugin
The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24808
Risk Score