Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24872 - Before 4 Plugin
The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata.
PLUGIN
Before 4
CVE-2021-24872
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24871 - Before 4 Plugin
The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2021-24871
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24918 - Before 4 Plugin
The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.
PLUGIN
Before 4
CVE-2021-24918
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24768 - Before 4 Plugin
The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues.
PLUGIN
Before 4
CVE-2021-24768
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24877 - Before 4 Plugin
The MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed
PLUGIN
Before 4
CVE-2021-24877
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24841 - Before 4 Plugin
The Helpful WordPress plugin before 4.4.59 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 4
CVE-2021-24841
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24884 - Before 4 Plugin
The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like ,,, and.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected…
PLUGIN
Before 4
CVE-2021-24884
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24702 - Before 4 Plugin
The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed
PLUGIN
Before 4
CVE-2021-24702
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24711 - Before 4 Plugin
The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack
PLUGIN
Before 4
CVE-2021-24711
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24719 - Before 4 Theme
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
THEME
Before 4
CVE-2021-24719
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24465 - Before 4 Plugin
The Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.
PLUGIN
Before 4
CVE-2021-24465
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24670 - Before 4 Plugin
The CoolClock WordPress plugin before 4.3.5 does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2021-24670
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24638 - Before 4 Plugin
The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.
PLUGIN
Before 4
CVE-2021-24638
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24639 - Before 4 Plugin
The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.
PLUGIN
Before 4
CVE-2021-24639
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24657 - Before 4 Plugin
The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue.
PLUGIN
Before 4
CVE-2021-24657
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24560 - Before 4 Plugin
The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 4
CVE-2021-24560
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24562 - Before 4 Plugin
The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers and grades
PLUGIN
Before 4
CVE-2021-24562
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24533 - Before 4 Plugin
The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend
PLUGIN
Before 4
CVE-2021-24533
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24462 - Before 4 Plugin
The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
PLUGIN
Before 4
CVE-2021-24462
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24430 - Before 4 Plugin
The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.2.0 did not validate its caching_exclude_urls and caching_include_query_strings settings before outputting them in a PHP file, which could lead to RCE
PLUGIN
Before 4
CVE-2021-24430
Risk Score