Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-39347 - Changeset Plugin
The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.
PLUGIN
Changeset
CVE-2021-39347
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-39342 - Changeset Plugin
The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.
PLUGIN
Changeset
CVE-2021-39342
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-34636 - Changeset Plugin
The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.
PLUGIN
Changeset
CVE-2021-34636
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24728 - Changeset Plugin
The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.
PLUGIN
Changeset
CVE-2021-24728
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2021-24727 - Changeset Plugin
The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections
PLUGIN
Changeset
CVE-2021-24727
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24724 - Changeset Plugin
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s
PLUGIN
Changeset
CVE-2021-24724
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24565 - Changeset Plugin
The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue.
PLUGIN
Changeset
CVE-2021-24565
Risk Score
Threat Entry
Updated 2024-12-17
CVE-2021-24561 - Changeset Plugin
The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-24561
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24658 - Changeset Plugin
The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled)
PLUGIN
Changeset
CVE-2021-24658
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24574 - Changeset Plugin
The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed.
PLUGIN
Changeset
CVE-2021-24574
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24239 - Changeset Plugin
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin before 3.7.0.1 does not sanitise the invitaion_code GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting issue.
PLUGIN
Changeset
CVE-2021-24239
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24221 - Changeset Plugin
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.
PLUGIN
Changeset
CVE-2021-24221
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24225 - Changeset Plugin
The Advanced Booking Calendar WordPress plugin before 1.6.7 did not sanitise the calId GET parameter in the "Seasons & Calendars" page before outputing it in an A tag, leading to a reflected XSS issue
PLUGIN
Changeset
CVE-2021-24225
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24209 - Changeset Plugin
The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.
PLUGIN
Changeset
CVE-2021-24209
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24210 - Changeset Plugin
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it's possible to redirect the victim to any domain.
PLUGIN
Changeset
CVE-2021-24210
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2021-24177 - Changeset Plugin
In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response.
PLUGIN
Changeset
CVE-2021-24177
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24153 - Changeset Plugin
A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found.
PLUGIN
Changeset
CVE-2021-24153
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-3133 - Changeset Plugin
The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.
PLUGIN
Changeset
CVE-2021-3133
Risk Score