Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24865 - Changeset Plugin
The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue
PLUGIN
Changeset
CVE-2021-24865
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24968 - Changeset Plugin
The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions
PLUGIN
Changeset
CVE-2021-24968
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0236 - Changeset Plugin
The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.
PLUGIN
Changeset
CVE-2022-0236
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25061 - Changeset Plugin
The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page.
PLUGIN
Changeset
CVE-2021-25061
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25036 - Changeset Plugin
The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.
PLUGIN
Changeset
CVE-2021-25036
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25037 - Changeset Plugin
The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).
PLUGIN
Changeset
CVE-2021-25037
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25053 - Changeset Plugin
The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
PLUGIN
Changeset
CVE-2021-25053
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25052 - Changeset Plugin
The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
PLUGIN
Changeset
CVE-2021-25052
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25051 - Changeset Plugin
The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.
PLUGIN
Changeset
CVE-2021-25051
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25032 - Changeset Plugin
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.
PLUGIN
Changeset
CVE-2021-25032
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25043 - Changeset Plugin
The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-25043
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25027 - Changeset Plugin
The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-25027
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2021-25022 - Changeset Plugin
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues
PLUGIN
Changeset
CVE-2021-25022
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24973 - Changeset Plugin
The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin
PLUGIN
Changeset
CVE-2021-24973
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24963 - Changeset Plugin
The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-24963
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24998 - Changeset Plugin
The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.
PLUGIN
Changeset
CVE-2021-24998
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24979 - Changeset Plugin
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-24979
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24753 - Changeset Plugin
The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue
PLUGIN
Changeset
CVE-2021-24753
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2021-24750 - Changeset Plugin
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
PLUGIN
Changeset
CVE-2021-24750
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4073 - Changeset Plugin
The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. This affects versions equal to, and less than, 5.0.1.7.
PLUGIN
Changeset
CVE-2021-4073
Risk Score