Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-0201 - Before 2 Plugin
The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2022-0201
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0149 - Before 2 Plugin
The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page.
PLUGIN
Before 2
CVE-2022-0149
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0148 - Before 2 Plugin
The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2.0.4 was vulnerable to reflected XSS on the my-sticky-elements-leads admin page.
PLUGIN
Before 2
CVE-2022-0148
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25114 - Before 2 Plugin
The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection
PLUGIN
Before 2
CVE-2021-25114
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25108 - Before 2 Plugin
The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
PLUGIN
Before 2
CVE-2021-25108
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25096 - Before 2 Plugin
The IP2Location Country Blocker WordPress plugin before 2.26.5 bans can be bypassed by using a specific parameter in the URL
PLUGIN
Before 2
CVE-2021-25096
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25106 - Before 2 Plugin
The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting
PLUGIN
Before 2
CVE-2021-25106
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25103 - Before 2 Plugin
The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCE_SALT and NONCE_KEY
PLUGIN
Before 2
CVE-2021-25103
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25095 - Before 2 Plugin
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
PLUGIN
Before 2
CVE-2021-25095
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25077 - Before 2 Plugin
The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2021-25077
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25084 - Before 2 Plugin
The Advanced Cron Manager WordPress plugin before 2.4.2 and Advanced Cron Manager Pro WordPress plugin before 2.5.3 do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example
PLUGIN
Before 2
CVE-2021-25084
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24879 - Before 2 Plugin
The SupportCandy WordPress plugin before 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it.
PLUGIN
Before 2
CVE-2021-24879
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24843 - Before 2 Plugin
The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action.
PLUGIN
Before 2
CVE-2021-24843
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24878 - Before 2 Plugin
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2021-24878
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24880 - Before 2 Plugin
The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2021-24880
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24839 - Before 2 Plugin
The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions may be affected as well.
PLUGIN
Before 2
CVE-2021-24839
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25063 - Before 2 Plugin
The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2021-25063
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24919 - Before 2 Plugin
The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection
PLUGIN
Before 2
CVE-2021-24919
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24686 - Before 2 Plugin
The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 2
CVE-2021-24686
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25083 - Before 2 Plugin
The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2021-25083
Risk Score