Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24723 - Before 1 Plugin
The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages.
PLUGIN
Before 1
CVE-2021-24723
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24789 - Before 1 Plugin
The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2021-24789
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24799 - Before 1 Plugin
The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
Before 1
CVE-2021-24799
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24717 - Before 1 Plugin
The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions.
PLUGIN
Before 1
CVE-2021-24717
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24685 - Before 1 Plugin
The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)
PLUGIN
Before 1
CVE-2021-24685
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24715 - Before 1 Plugin
The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2021-24715
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24539 - Before 1 Plugin
The Coming Soon, Under Construction & Maintenance Mode By Dazzler WordPress plugin before 1.6.7 does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24539
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24572 - Before 1 Plugin
The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a button post. As a result, an attacker could make logged in admins delete arbitrary posts
PLUGIN
Before 1
CVE-2021-24572
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24570 - Before 1 Plugin
The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.
PLUGIN
Before 1
CVE-2021-24570
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24774 - Before 1 Plugin
The Check & Log Email WordPress plugin before 1.0.3 does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues
PLUGIN
Before 1
CVE-2021-24774
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24699 - Before 1 Plugin
The Easy Media Download WordPress plugin before 1.1.7 does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2021-24699
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24744 - Before 1 Plugin
The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
PLUGIN
Before 1
CVE-2021-24744
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24653 - Before 1 Plugin
The Cookie Bar WordPress plugin before 1.8.9 doesn't properly sanitise the Cookie Bar Message setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24653
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24515 - Before 1 Plugin
The Video Gallery WordPress plugin before 1.1.5 does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues
PLUGIN
Before 1
CVE-2021-24515
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24414 - Before 1 Plugin
The Video Player for YouTube WordPress plugin before 1.4 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
PLUGIN
Before 1
CVE-2021-24414
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24752 - Before 1 Plugin
Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before…
PLUGIN
Before 1
CVE-2021-24752
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24760 - Before 1 Plugin
The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2021-24760
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24684 - Before 1 Plugin
The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript.
PLUGIN
Before 1
CVE-2021-24684
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24735 - Before 1 Plugin
The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack.
PLUGIN
Before 1
CVE-2021-24735
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24743 - Before 1 Plugin
The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS.
PLUGIN
Before 1
CVE-2021-24743
Risk Score