Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-25082 - Before 4 Plugin
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
PLUGIN
Before 4
CVE-2021-25082
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25101 - Before 4 Plugin
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user.
PLUGIN
Before 4
CVE-2021-25101
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0188 - Before 4 Plugin
The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, to arbitrarily change the coming soon page layout.
PLUGIN
Before 4
CVE-2022-0188
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25072 - Before 4 Plugin
The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack
PLUGIN
Before 4
CVE-2021-25072
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24975 - Before 4 Plugin
The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.24 does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue
PLUGIN
Before 4
CVE-2021-24975
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24900 - Before 4 Plugin
The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 4
CVE-2021-24900
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25074 - Before 4 Plugin
The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue
PLUGIN
Before 4
CVE-2021-25074
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25065 - Before 4 Plugin
The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.
PLUGIN
Before 4
CVE-2021-25065
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25036 - Before 4 Plugin
The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.
PLUGIN
Before 4
CVE-2021-25036
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25037 - Before 4 Plugin
The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).
PLUGIN
Before 4
CVE-2021-25037
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25023 - Before 4 Plugin
The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection
PLUGIN
Before 4
CVE-2021-25023
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25021 - Before 4 Plugin
The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin
PLUGIN
Before 4
CVE-2021-25021
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2021-24786 - Before 4 Plugin
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
PLUGIN
Before 4
CVE-2021-24786
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2021-24964 - Before 4 Plugin
The LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of the endpoint could be used to set CSS code if a setting is enabled, which will then be output in some pages without being sanitised and escaped. Combining those two issues, an unauthenticated attacker could put Cross-Site Scripting payloads in pages visited by users.
PLUGIN
Before 4
CVE-2021-24964
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25020 - Before 4 Plugin
The CAOS | Host Google Analytics Locally WordPress plugin before 4.1.9 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin
PLUGIN
Before 4
CVE-2021-25020
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24963 - Before 4 Plugin
The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2021-24963
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24980 - Before 4 Plugin
The Gwolle Guestbook WordPress plugin before 4.2.0 does not sanitise and escape the gwolle_gb_user_email parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in an admin page
PLUGIN
Before 4
CVE-2021-24980
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24988 - Before 4 Plugin
The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.
PLUGIN
Before 4
CVE-2021-24988
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2021-24750 - Before 4 Plugin
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
PLUGIN
Before 4
CVE-2021-24750
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24951 - Before 4 Plugin
The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues
PLUGIN
Before 4
CVE-2021-24951
Risk Score