Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-13
CVE-2021-24977 - Before 6 Plugin
The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues
PLUGIN
Before 6
CVE-2021-24977
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0193 - Before 6 Plugin
The Complianz WordPress plugin before 6.0.0 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 6
CVE-2022-0193
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24947 - Before 6 Plugin
The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server
PLUGIN
Before 6
CVE-2021-24947
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24985 - Before 6 Plugin
The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PLUGIN
Before 6
CVE-2021-24985
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25046 - Before 6 Plugin
The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS.
PLUGIN
Before 6
CVE-2021-25046
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24956 - Before 6 Plugin
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 6
CVE-2021-24956
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24946 - Before 6 Plugin
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue
PLUGIN
Before 6
CVE-2021-24946
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2021-24863 - Before 6 Plugin
The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection
PLUGIN
Before 6
CVE-2021-24863
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24925 - Before 6 Plugin
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 6
CVE-2021-24925
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24748 - Before 6 Plugin
The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues
PLUGIN
Before 6
CVE-2021-24748
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24830 - Before 6 Plugin
The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 6
CVE-2021-24830
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24834 - Before 6 Plugin
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label.
PLUGIN
Before 6
CVE-2021-24834
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24833 - Before 6 Plugin
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module.
PLUGIN
Before 6
CVE-2021-24833
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24835 - Before 6 Plugin
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks
PLUGIN
Before 6
CVE-2021-24835
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24594 - Before 6 Plugin
The Translate WordPress – Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 6
CVE-2021-24594
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24770 - Before 6 Plugin
The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images.
PLUGIN
Before 6
CVE-2021-24770
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24757 - Before 6 Plugin
The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images.
PLUGIN
Before 6
CVE-2021-24757
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24885 - Before 6 Plugin
The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 6
CVE-2021-24885
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2021-24727 - Before 6 Plugin
The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections
PLUGIN
Before 6
CVE-2021-24727
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24456 - Before 6 Plugin
The Quiz Maker WordPress plugin before 6.2.0.9 did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard
PLUGIN
Before 6
CVE-2021-24456
Risk Score