Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24485 - Before 5 Plugin
The Special Text Boxes WordPress plugin before 5.9.110 does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
PLUGIN
Before 5
CVE-2021-24485
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24622 - Before 5 Plugin
The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 5
CVE-2021-24622
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24687 - Before 5 Plugin
The Modern Events Calendar Lite WordPress plugin before 5.22.2 does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 5
CVE-2021-24687
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24525 - Before 5 Plugin
The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
PLUGIN
Before 5
CVE-2021-24525
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24603 - Before 5 Plugin
The Site Reviews WordPress plugin before 5.13.1 does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed
PLUGIN
Before 5
CVE-2021-24603
Risk Score
Threat Entry
Updated 2024-12-17
CVE-2021-24561 - Before 5 Plugin
The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue
PLUGIN
Before 5
CVE-2021-24561
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24471 - Before 5 Plugin
The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).
PLUGIN
Before 5
CVE-2021-24471
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24304 - Before 5 Theme
The Newsmag WordPress theme before 5.0 does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability.
THEME
Before 5
CVE-2021-24304
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24407 - Before 5 Theme
The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability.
THEME
Before 5
CVE-2021-24407
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24384 - Before 5 Plugin
The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though the plugin does not have a suitable gadget chain to exploit this, other installed plugins could, which might lead to more severe issues such as RCE
PLUGIN
Before 5
CVE-2021-24384
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24364 - Before 5 Theme
The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
THEME
Before 5
CVE-2021-24364
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2021-24366 - Before 5 Plugin
The Admin Columns WordPress plugin before 4.3 and Admin Columns Pro WordPress plugin before 5.5.1 do not sanitise and escape its Label settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 5
CVE-2021-24366
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24295 - Before 5 Plugin
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.
PLUGIN
Before 5
CVE-2021-24295
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24179 - Before 5 Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE.
PLUGIN
Before 5
CVE-2021-24179
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24178 - Before 5 Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues.
PLUGIN
Before 5
CVE-2021-24178
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24248 - Before 5 Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE
PLUGIN
Before 5
CVE-2021-24248
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24249 - Before 5 Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc
PLUGIN
Before 5
CVE-2021-24249
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24250 - Before 5 Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin.
PLUGIN
Before 5
CVE-2021-24250
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24251 - Before 5 Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)
PLUGIN
Before 5
CVE-2021-24251
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24241 - Before 5 Plugin
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.
PLUGIN
Before 5
CVE-2021-24241
Risk Score