Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24696 - Before 3 Plugin
The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads
PLUGIN
Before 3
CVE-2021-24696
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24906 - Before 3 Plugin
The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request
PLUGIN
Before 3
CVE-2021-24906
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24923 - Before 3 Plugin
The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2021-24923
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24694 - Before 3 Plugin
The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.
PLUGIN
Before 3
CVE-2021-24694
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24893 - Before 3 Plugin
The Stars Rating WordPress plugin before 3.5.1 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated.
PLUGIN
Before 3
CVE-2021-24893
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24998 - Before 3 Plugin
The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
PLUGIN
Before 3
CVE-2021-24998
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24984 - Before 3 Plugin
The WPFront User Role Editor WordPress plugin before 3.2.1.11184 does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 3
CVE-2021-24984
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2021-24969 - Before 3 Plugin
The WordPress Download Manager WordPress plugin before 3.2.22 does not sanitise and escape Template data before outputting it in various pages (such as admin dashboard and frontend). Due to the lack of authorisation and CSRF checks in the wpdm_save_template AJAX action, any authenticated users such as subscriber is able to call it and perform Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2021-24969
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24797 - Before 3 Plugin
The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
PLUGIN
Before 3
CVE-2021-24797
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24849 - Before 3 Plugin
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections
PLUGIN
Before 3
CVE-2021-24849
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24739 - Before 3 Plugin
The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature
PLUGIN
Before 3
CVE-2021-24739
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24738 - Before 3 Plugin
The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2021-24738
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24955 - Before 3 Plugin
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2021-24955
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24954 - Before 3 Plugin
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2021-24954
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24932 - Before 3 Plugin
The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue.
PLUGIN
Before 3
CVE-2021-24932
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24747 - Before 3 Plugin
The SEO Booster WordPress plugin before 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections.
PLUGIN
Before 3
CVE-2021-24747
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24939 - Before 3 Plugin
The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2021-24939
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24935 - Before 3 Plugin
The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues
PLUGIN
Before 3
CVE-2021-24935
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24714 - Before 3 Plugin
The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 3
CVE-2021-24714
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24927 - Before 3 Plugin
The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2021-24927
Risk Score