Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24604 - Before 1 Plugin
The Availability Calendar WordPress plugin before 1.2.2 does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2021-24604
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24623 - Before 1 Plugin
The WordPress Advanced Ticket System, Elite Support Helpdesk WordPress plugin before 1.0.64 does not sanitize or escape form values before saving to the database or when outputting, which allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2021-24623
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24614 - Before 1 Plugin
The Book appointment online WordPress plugin before 1.39 does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2021-24614
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24586 - Before 1 Plugin
The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used.
PLUGIN
Before 1
CVE-2021-24586
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24510 - Before 1 Plugin
The MF Gig Calendar WordPress plugin before 1.2 does not sanitise and escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24510
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24590 - Before 1 Plugin
The Cookie Notice & Consent Banner for GDPR & CCPA Compliance WordPress plugin before 1.7.2 does not properly sanitize inputs to prevent injection of arbitrary HTML within the plugin's design customization options.
PLUGIN
Before 1
CVE-2021-24590
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24568 - Before 1 Plugin
The AddToAny Share Buttons WordPress plugin before 1.7.46 does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24568
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24513 - Before 1 Plugin
The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24513
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24303 - Before 1 Plugin
The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection issues
PLUGIN
Before 1
CVE-2021-24303
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24665 - Before 1 Plugin
The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks
PLUGIN
Before 1
CVE-2021-24665
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24602 - Before 1 Plugin
The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
PLUGIN
Before 1
CVE-2021-24602
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24571 - Before 1 Plugin
The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues
PLUGIN
Before 1
CVE-2021-24571
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24531 - Before 1 Plugin
The Charitable – Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature.
PLUGIN
Before 1
CVE-2021-24531
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24529 - Before 1 Plugin
The Grid Gallery – Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability.
PLUGIN
Before 1
CVE-2021-24529
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24541 - Before 1 Plugin
The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
PLUGIN
Before 1
CVE-2021-24541
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24540 - Before 1 Plugin
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
PLUGIN
Before 1
CVE-2021-24540
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24526 - Before 1 Plugin
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24526
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24363 - Before 1 Plugin
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector
PLUGIN
Before 1
CVE-2021-24363
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24519 - Before 1 Plugin
The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24519
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24362 - Before 1 Plugin
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue
PLUGIN
Before 1
CVE-2021-24362
Risk Score