Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24933 - Through 1 Plugin
The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue
PLUGIN
Through 1
CVE-2021-24933
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24901 - Through 1 Plugin
The Security Audit WordPress plugin through 1.0.0 does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Through 1
CVE-2021-24901
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24704 - Through 1 Plugin
In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for example
PLUGIN
Through 1
CVE-2021-24704
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24820 - Through 1 Plugin
The Cost Calculator WordPress plugin through 1.6 allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions
PLUGIN
Through 1
CVE-2021-24820
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24689 - Through 1 Plugin
The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack
PLUGIN
Through 1
CVE-2021-24689
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24688 - Through 1 Plugin
The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)
PLUGIN
Through 1
CVE-2021-24688
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25058 - Through 1 Plugin
The Buffer Button WordPress plugin through 1.0 was vulnerable to Authenticated Stored Cross Site Scripting (XSS) within the Twitter username to mention text field.
PLUGIN
Through 1
CVE-2021-25058
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25057 - Through 1 Plugin
The Translation Exchange WordPress plugin through 1.0.14 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) within the Project Key text field found in the plugin's settings.
PLUGIN
Through 1
CVE-2021-25057
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0212 - Through 1 Plugin
The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue.
PLUGIN
Through 1
CVE-2022-0212
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25097 - Through 1 Plugin
The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication
PLUGIN
Through 1
CVE-2021-25097
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24765 - Through 1 Plugin
The Perfect Survey WordPress plugin through 1.5.2 does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue
PLUGIN
Through 1
CVE-2021-24765
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24857 - Through 1 Plugin
The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.
PLUGIN
Through 1
CVE-2021-24857
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24845 - Through 1 Plugin
The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to.
PLUGIN
Through 1
CVE-2021-24845
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24795 - Through 1 Plugin
The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery.
PLUGIN
Through 1
CVE-2021-24795
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24784 - Through 1 Plugin
The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack.
PLUGIN
Through 1
CVE-2021-24784
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24792 - Through 1 Plugin
The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.
PLUGIN
Through 1
CVE-2021-24792
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24817 - Through 1 Plugin
The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks
PLUGIN
Through 1
CVE-2021-24817
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24782 - Through 1 Plugin
The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Through 1
CVE-2021-24782
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24771 - Through 1 Plugin
The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowed
PLUGIN
Through 1
CVE-2021-24771
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24819 - Through 1 Plugin
The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors.
PLUGIN
Through 1
CVE-2021-24819
Risk Score