Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24388 - Before 1 Plugin
In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it.
PLUGIN
Before 1
CVE-2021-24388
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24379 - Before 1 Plugin
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some Restriction modes, such as Cookie Restriction, IP Restrictions, Logged In User Restriction, however, they do not prevent such attack as they only check client side
PLUGIN
Before 1
CVE-2021-24379
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24373 - Before 1 Plugin
The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue.
PLUGIN
Before 1
CVE-2021-24373
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24372 - Before 1 Plugin
The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $_SERVER['REQUEST_URI'] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue.
PLUGIN
Before 1
CVE-2021-24372
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24360 - Before 1 Plugin
The Yes/No Chart WordPress plugin before 1.0.12 did not sanitise its sid shortcode parameter before using it in a SQL statement, allowing medium privilege users (contributor+) to perform Blind SQL Injection attacks
PLUGIN
Before 1
CVE-2021-24360
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24321 - Before 1 Theme
The Bello - Directory & Listing WordPress theme before 1.6.0 did not sanitise the bt_bb_listing_field_price_range_to, bt_bb_listing_field_now_open, bt_bb_listing_field_my_lng, listing_list_view and bt_bb_listing_field_my_lat parameters before using them in a SQL statement, leading to SQL Injection issues
THEME
Before 1
CVE-2021-24321
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24318 - Before 1 Theme
The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector.
THEME
Before 1
CVE-2021-24318
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24320 - Before 1 Theme
The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues.
THEME
Before 1
CVE-2021-24320
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24329 - Before 1 Plugin
The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue.
PLUGIN
Before 1
CVE-2021-24329
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24319 - Before 1 Theme
The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise its post_excerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue
THEME
Before 1
CVE-2021-24319
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24331 - Before 1 Plugin
The Smooth Scroll Page Up/Down Buttons WordPress plugin before 1.4 did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them
PLUGIN
Before 1
CVE-2021-24331
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24330 - Before 1 Plugin
The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used.
PLUGIN
Before 1
CVE-2021-24330
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24311 - Before 1 Plugin
The wp_ajax_upload-remote-file AJAX action of the External Media WordPress plugin before 1.0.34 was vulnerable to arbitrary file uploads via any authenticated users.
PLUGIN
Before 1
CVE-2021-24311
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24312 - Before 1 Plugin
The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the settings of WP Super Cache WordPress plugin before 1.7.3 result in RCE because they allow input of '$' and '\n'. This is due to an incomplete fix of CVE-2021-24209.
PLUGIN
Before 1
CVE-2021-24312
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24317 - Before 1 Theme
The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues
THEME
Before 1
CVE-2021-24317
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24313 - Before 1 Plugin
The WP Prayer WordPress plugin before 1.6.2 provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to request prayers or praises have several fields. The 'prayer request' and 'praise request' fields do not use proper input validation and can be used to store XSS payloads.
PLUGIN
Before 1
CVE-2021-24313
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24310 - Before 1 Plugin
The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117
PLUGIN
Before 1
CVE-2021-24310
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24300 - Before 1 Plugin
The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24300
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24326 - Before 1 Plugin
The tab parameter of the settings page of the All 404 Redirect to Homepage WordPress plugin before 1.21 was vulnerable to an authenticated reflected Cross-Site Scripting (XSS) issue as user input was not properly sanitised before being output in an attribute.
PLUGIN
Before 1
CVE-2021-24326
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24292 - Before 1 Plugin
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added…
PLUGIN
Before 1
CVE-2021-24292
Risk Score