Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24975 - Changeset Plugin
The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.24 does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-24975
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24919 - Changeset Plugin
The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection
PLUGIN
Changeset
CVE-2021-24919
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24934 - Changeset Plugin
The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-24934
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24648 - Changeset Plugin
The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitise and escape the rm_search_value parameter before outputting back in an attribute, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-24648
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24686 - Changeset Plugin
The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Changeset
CVE-2021-24686
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25076 - Changeset Plugin
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-25076
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25073 - Changeset Plugin
The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Changeset
CVE-2021-25073
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25045 - Changeset Plugin
The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue
PLUGIN
Changeset
CVE-2021-25045
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25083 - Changeset Plugin
The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-25083
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25080 - Changeset Plugin
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry
PLUGIN
Changeset
CVE-2021-25080
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25079 - Changeset Plugin
The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page
PLUGIN
Changeset
CVE-2021-25079
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25078 - Changeset Plugin
The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests.
PLUGIN
Changeset
CVE-2021-25078
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25062 - Changeset Plugin
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-25062
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25035 - Changeset Plugin
The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-25035
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25031 - Changeset Plugin
The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-25031
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25017 - Changeset Plugin
The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-25017
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25015 - Changeset Plugin
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-25015
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24985 - Changeset Plugin
The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PLUGIN
Changeset
CVE-2021-24985
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24976 - Changeset Plugin
The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-24976
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25049 - Changeset Plugin
The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Changeset
CVE-2021-25049
Risk Score