Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24341 - Before 2 Plugin
When deleting a date in the Xllentech English Islamic Calendar WordPress plugin before 2.6.8, the year_number and month_number POST parameters are not sanitised, escaped or validated before being used in a SQL statement, leading to SQL injection.
PLUGIN
Before 2
CVE-2021-24341
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24357 - Before 2 Plugin
In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue.
PLUGIN
Before 2
CVE-2021-24357
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24355 - Before 2 Plugin
In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/get_wildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects.
PLUGIN
Before 2
CVE-2021-24355
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24322 - Before 2 Plugin
The Database Backup for WordPress plugin before 2.4 did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue.
PLUGIN
Before 2
CVE-2021-24322
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24297 - Before 2 Theme
The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.
THEME
Before 2
CVE-2021-24297
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24306 - Before 2 Plugin
The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link.
PLUGIN
Before 2
CVE-2021-24306
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24332 - Before 2 Plugin
The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues
PLUGIN
Before 2
CVE-2021-24332
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24314 - Before 2 Theme
The Goto WordPress theme before 2.1 did not sanitise, validate of escape the keywords GET parameter from its listing page before using it in a SQL statement, leading to an Unauthenticated SQL injection issue
THEME
Before 2
CVE-2021-24314
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24292 - Before 2 Plugin
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added…
PLUGIN
Before 2
CVE-2021-24292
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24315 - Before 2 Plugin
The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues.
PLUGIN
Before 2
CVE-2021-24315
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24280 - Before 2 Plugin
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
PLUGIN
Before 2
CVE-2021-24280
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24194 - Before 2 Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login Protection - Limit Failed Login Attempts WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
Before 2
CVE-2021-24194
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24193 - Before 2 Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
Before 2
CVE-2021-24193
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24192 - Before 2 Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
Before 2
CVE-2021-24192
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24278 - Before 2 Plugin
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
PLUGIN
Before 2
CVE-2021-24278
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24279 - Before 2 Plugin
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository.
PLUGIN
Before 2
CVE-2021-24279
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24282 - Before 2 Plugin
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s settings, wpcf7r_add_action to add actions to a form, and more.
PLUGIN
Before 2
CVE-2021-24282
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24281 - Before 2 Plugin
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
PLUGIN
Before 2
CVE-2021-24281
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24189 - Before 2 Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Captchinoo, Google recaptcha for admin login page WordPress plugin before 2.4, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
Before 2
CVE-2021-24189
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24273 - Before 2 Plugin
The “Clever Addons for Elementor” WordPress Plugin before 2.1.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PLUGIN
Before 2
CVE-2021-24273
Risk Score