Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24889 - Before 3 Plugin
The Ninja Forms Contact Form WordPress plugin before 3.6.4 does not escape keys of the fields POST parameter, which could allow high privilege users to perform SQL injections attacks
PLUGIN
Before 3
CVE-2021-24889
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24860 - Before 3 Plugin
The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue
PLUGIN
Before 3
CVE-2021-24860
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24891 - Before 3 Plugin
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
PLUGIN
Before 3
CVE-2021-24891
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24875 - Before 3 Plugin
The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2021-24875
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24888 - Before 3 Plugin
The ImageBoss WordPress plugin before 3.0.6 does not sanitise and escape its Source Name setting, which could allow high privilege users to perform Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2021-24888
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2021-24713 - Before 3 Plugin
The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2021-24713
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24850 - Before 3 Plugin
The Insert Pages WordPress plugin before 3.7.0 adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields.
PLUGIN
Before 3
CVE-2021-24850
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24851 - Before 3 Plugin
The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.
PLUGIN
Before 3
CVE-2021-24851
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24804 - Before 3 Plugin
The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.
PLUGIN
Before 3
CVE-2021-24804
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24772 - Before 3 Plugin
The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.
PLUGIN
Before 3
CVE-2021-24772
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24829 - Before 3 Plugin
The Visitor Traffic Real Time Statistics WordPress plugin before 3.9 does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) before using it in a SQL statement, leading to an SQL injection issue
PLUGIN
Before 3
CVE-2021-24829
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24807 - Before 3 Plugin
The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed.
PLUGIN
Before 3
CVE-2021-24807
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24840 - Before 3 Theme
The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request.
THEME
Before 3
CVE-2021-24840
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24816 - Before 3 Plugin
The Phoenix Media Rename WordPress plugin before 3.4.4 does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own.
PLUGIN
Before 3
CVE-2021-24816
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24731 - Before 3 Plugin
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection.
PLUGIN
Before 3
CVE-2021-24731
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24693 - Before 3 Plugin
The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin
PLUGIN
Before 3
CVE-2021-24693
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24695 - Before 3 Plugin
The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames
PLUGIN
Before 3
CVE-2021-24695
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24766 - Before 3 Plugin
The 404 to 301 – Redirect, Log and Notify 404 Errors WordPress plugin before 3.0.9 does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin delete all of them via a CSRF attack
PLUGIN
Before 3
CVE-2021-24766
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24697 - Before 3 Plugin
The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PLUGIN
Before 3
CVE-2021-24697
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24706 - Before 3 Plugin
The Qwizcards – online quizzes and flashcards WordPress plugin before 3.62 does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 3
CVE-2021-24706
Risk Score