Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-06
CVE-2021-25042 - Before 5 Plugin
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin
PLUGIN
Before 5
CVE-2021-25042
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25105 - Before 5 Plugin
The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 5
CVE-2021-25105
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24993 - Before 5 Plugin
The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example
PLUGIN
Before 5
CVE-2021-24993
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0320 - Before 5 Plugin
The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.
PLUGIN
Before 5
CVE-2022-0320
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24648 - Before 5 Plugin
The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitise and escape the rm_search_value parameter before outputting back in an attribute, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 5
CVE-2021-24648
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24707 - Before 5 Plugin
The Learning Courses WordPress plugin before 5.0 does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 5
CVE-2021-24707
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25028 - Before 5 Plugin
The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue
PLUGIN
Before 5
CVE-2021-25028
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25051 - Before 5 Plugin
The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
PLUGIN
Before 5
CVE-2021-25051
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24949 - Before 5 Plugin
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
PLUGIN
Before 5
CVE-2021-24949
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24948 - Before 5 Plugin
The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts
PLUGIN
Before 5
CVE-2021-24948
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24862 - Before 5 Plugin
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue
PLUGIN
Before 5
CVE-2021-24862
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25001 - Before 5 Plugin
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_create_products_xml_result parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 5
CVE-2021-25001
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25000 - Before 5 Plugin
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 5
CVE-2021-25000
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24999 - Before 5 Plugin
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 5
CVE-2021-24999
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24973 - Before 5 Plugin
The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin
PLUGIN
Before 5
CVE-2021-24973
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24680 - Before 5 Plugin
The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed
PLUGIN
Before 5
CVE-2021-24680
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24866 - Before 5 Plugin
The WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion
PLUGIN
Before 5
CVE-2021-24866
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24852 - Before 5 Plugin
The MouseWheel Smooth Scroll WordPress plugin before 5.7 does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 5
CVE-2021-24852
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24716 - Before 5 Plugin
The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.
PLUGIN
Before 5
CVE-2021-24716
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24608 - Before 5 Plugin
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 5
CVE-2021-24608
Risk Score