Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-25078 - Before 2 Plugin
The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.
PLUGIN
Before 2
CVE-2021-25078
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25015 - Before 2 Plugin
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2021-25015
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25008 - Before 2 Plugin
The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2021-25008
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24968 - Before 2 Plugin
The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions
PLUGIN
Before 2
CVE-2021-24968
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24965 - Before 2 Plugin
The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins
PLUGIN
Before 2
CVE-2021-24965
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25061 - Before 2 Plugin
The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page.
PLUGIN
Before 2
CVE-2021-25061
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25053 - Before 2 Plugin
The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
PLUGIN
Before 2
CVE-2021-25053
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25052 - Before 2 Plugin
The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
PLUGIN
Before 2
CVE-2021-25052
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25032 - Before 2 Plugin
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.
PLUGIN
Before 2
CVE-2021-25032
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25030 - Before 2 Plugin
The Events Made Easy WordPress plugin before 2.2.36 does not sanitise and escape the search_text parameter before using it in a SQL statement via the eme_searchmail AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber can call it and perform SQL injection attacks
PLUGIN
Before 2
CVE-2021-25030
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25027 - Before 2 Plugin
The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2021-25027
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25016 - Before 2 Plugin
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2021-25016
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24991 - Before 2 Plugin
The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard
PLUGIN
Before 2
CVE-2021-24991
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24979 - Before 2 Plugin
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2021-24979
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24992 - Before 2 Plugin
The Smart Floating / Sticky Buttons WordPress plugin before 2.5.5 does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 2
CVE-2021-24992
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24941 - Before 2 Plugin
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2021-24941
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24578 - Before 2 Plugin
The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2021-24578
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24922 - Before 2 Plugin
The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2021-24922
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24848 - Before 2 Plugin
The mediamaticAjaxRenameCategory AJAX action of the Mediamatic WordPress plugin before 2.8.1, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection
PLUGIN
Before 2
CVE-2021-24848
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24945 - Before 2 Plugin
The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.
PLUGIN
Before 2
CVE-2021-24945
Risk Score