Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24256 - Before 1 Plugin
The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PLUGIN
Before 1
CVE-2021-24256
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24238 - Before 1 Plugin
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the property_id parameter.
PLUGIN
Before 1
CVE-2021-24238
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24237 - Before 1 Plugin
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue.
PLUGIN
Before 1
CVE-2021-24237
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24233 - Before 1 Plugin
The Cooked Pro WordPress plugin before 1.7.5.6 was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute.
PLUGIN
Before 1
CVE-2021-24233
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24232 - Before 1 Plugin
The Advanced Booking Calendar WordPress plugin before 1.6.8 does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24232
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24242 - Before 1 Plugin
The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file
PLUGIN
Before 1
CVE-2021-24242
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24229 - Before 1 Plugin
The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2. This AJAX hook is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible for user accounts with the ‘manage_options’ privilege (i.e.., only administrators). Unfortunately, one of the parameters used in this AJAX endpoint is not sanitized before being printed back to the user, so the risk it represents is the same as the previous XSS vulnerability.
PLUGIN
Before 1
CVE-2021-24229
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24228 - Before 1 Plugin
The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2. The WordPress login form (wp-login.php) is hooked by the plugin and offers to allow users to authenticate on the site using their Patreon account. Unfortunately, some of the error logging logic behind the scene allowed user-controlled input to be reflected on the login page, unsanitized.
PLUGIN
Before 1
CVE-2021-24228
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24230 - Before 1 Plugin
The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.
PLUGIN
Before 1
CVE-2021-24230
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24231 - Before 1 Plugin
The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link.
PLUGIN
Before 1
CVE-2021-24231
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24215 - Before 1 Plugin
An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource.
PLUGIN
Before 1
CVE-2021-24215
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24227 - Before 1 Plugin
The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies.
PLUGIN
Before 1
CVE-2021-24227
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24225 - Before 1 Plugin
The Advanced Booking Calendar WordPress plugin before 1.6.7 did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue
PLUGIN
Before 1
CVE-2021-24225
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24219 - Before 1 Plugin
The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin before 2.3.9.4, Thrive Apprentice WordPress plugin before 2.3.9.4, Thrive Visual Editor WordPress plugin before 2.6.7.4, Thrive Dashboard WordPress plugin before 2.3.9.3, Thrive Ovation WordPress plugin before 2.4.5, Thrive Clever Widgets WordPress plugin before 1.57.1 and Rise by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, Luxe by…
PLUGIN
Before 1
CVE-2021-24219
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24209 - Before 1 Plugin
The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.
PLUGIN
Before 1
CVE-2021-24209
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24210 - Before 1 Plugin
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it's possible to redirect the victim to any domain.
PLUGIN
Before 1
CVE-2021-24210
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24208 - Before 1 Plugin
The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. It is also possible to insert malicious JavaScript via the “wppb_page_css” parameter (this can be…
PLUGIN
Before 1
CVE-2021-24208
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24207 - Before 1 Plugin
By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.
PLUGIN
Before 1
CVE-2021-24207
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24184 - Before 1 Plugin
Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileges among many other actions.
PLUGIN
Before 1
CVE-2021-24184
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24186 - Before 1 Plugin
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.
PLUGIN
Before 1
CVE-2021-24186
Risk Score