Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24955 - Changeset Plugin
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-24955
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24954 - Changeset Plugin
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-24954
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24747 - Changeset Plugin
The SEO Booster WordPress plugin before 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections.
PLUGIN
Changeset
CVE-2021-24747
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25041 - Changeset Plugin
The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action
PLUGIN
Changeset
CVE-2021-25041
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24935 - Changeset Plugin
The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues
PLUGIN
Changeset
CVE-2021-24935
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-42365 - Changeset Plugin
The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.15.13. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
PLUGIN
Changeset
CVE-2021-42365
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24883 - Changeset Plugin
The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
PLUGIN
Changeset
CVE-2021-24883
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24842 - Changeset Plugin
The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts.
PLUGIN
Changeset
CVE-2021-24842
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24894 - Changeset Plugin
The Reviews Plus WordPress plugin before 1.2.14 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the post/page
PLUGIN
Changeset
CVE-2021-24894
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24873 - Changeset Plugin
The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-24873
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24830 - Changeset Plugin
The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Changeset
CVE-2021-24830
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-42363 - Changeset Plugin
The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8.
PLUGIN
Changeset
CVE-2021-42363
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-42362 - Changeset Plugin
The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.
PLUGIN
Changeset
CVE-2021-42362
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24834 - Changeset Plugin
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label.
PLUGIN
Changeset
CVE-2021-24834
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24833 - Changeset Plugin
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module.
PLUGIN
Changeset
CVE-2021-24833
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24851 - Changeset Plugin
The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.
PLUGIN
Changeset
CVE-2021-24851
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24772 - Changeset Plugin
The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.
PLUGIN
Changeset
CVE-2021-24772
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24598 - Changeset Plugin
The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Changeset
CVE-2021-24598
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24827 - Changeset Plugin
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection issue
PLUGIN
Changeset
CVE-2021-24827
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24844 - Changeset Plugin
The Affiliates Manager WordPress plugin before 2.8.7 does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue
PLUGIN
Changeset
CVE-2021-24844
Risk Score