Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-0684 - Before 3 Plugin
The WP Home Page Menu WordPress plugin before 3.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 3
CVE-2022-0684
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0478 - Before 3 Plugin
The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks
PLUGIN
Before 3
CVE-2022-0478
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0321 - Before 3 Plugin
The WP Voting Contest WordPress plugin before 3.0 does not sanitise and escape the post_id parameter before outputting it back in the response via the wpvc_social_share_icons AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2022-0321
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24692 - Before 3 Plugin
The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.
PLUGIN
Before 3
CVE-2021-24692
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0533 - Before 3 Plugin
The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cross-Site Scripting (XSS) vulnerability.
PLUGIN
Before 3
CVE-2022-0533
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0384 - Before 3 Plugin
The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog
PLUGIN
Before 3
CVE-2022-0384
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2021-25087 - Before 3 Plugin
The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).
PLUGIN
Before 3
CVE-2021-25087
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24810 - Before 3 Plugin
The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 3
CVE-2021-24810
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25010 - Before 3 Plugin
The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues
PLUGIN
Before 3
CVE-2021-25010
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24971 - Before 3 Plugin
The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform Cross-Site Scripting attacks against all visitor and users on the frontend
PLUGIN
Before 3
CVE-2021-24971
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24823 - Before 3 Plugin
The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files
PLUGIN
Before 3
CVE-2021-24823
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0186 - Before 3 Plugin
The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.5.3 does not sanitise and escape the Description field when editing a gallery, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks against other users having access to the gallery dashboard
PLUGIN
Before 3
CVE-2022-0186
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0199 - Before 3 Plugin
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack
PLUGIN
Before 3
CVE-2022-0199
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0164 - Before 3 Plugin
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
PLUGIN
Before 3
CVE-2022-0164
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2021-25069 - Before 3 Plugin
The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2021-25069
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24921 - Before 3 Plugin
The Advanced Database Cleaner WordPress plugin before 3.0.4 does not sanitise and escape $_GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PLUGIN
Before 3
CVE-2021-24921
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24874 - Before 3 Plugin
The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PLUGIN
Before 3
CVE-2021-24874
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24928 - Before 3 Plugin
The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such as subscriber, to modify arbitrary post content (for example with an XSS payload), as well as exfiltrate any data by copying it to another post.
PLUGIN
Before 3
CVE-2021-24928
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25076 - Before 3 Plugin
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
PLUGIN
Before 3
CVE-2021-25076
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24976 - Before 3 Plugin
The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 3
CVE-2021-24976
Risk Score