Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24818 - Through 1 Plugin
The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values
PLUGIN
Through 1
CVE-2021-24818
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24790 - Through 1 Plugin
The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.
PLUGIN
Through 1
CVE-2021-24790
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24780 - Through 1 Plugin
The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able to export an arbitrary post/page (such as private and password protected) via a direct URL
PLUGIN
Through 1
CVE-2021-24780
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24801 - Through 1 Plugin
The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues
PLUGIN
Through 1
CVE-2021-24801
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24626 - Through 1 Plugin
The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection
PLUGIN
Through 1
CVE-2021-24626
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24629 - Through 1 Plugin
The Post Content XMLRPC WordPress plugin through 1.0 does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections
PLUGIN
Through 1
CVE-2021-24629
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24627 - Through 1 Plugin
The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection
PLUGIN
Through 1
CVE-2021-24627
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24625 - Through 1 Plugin
The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category
PLUGIN
Through 1
CVE-2021-24625
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24607 - Through 1 Plugin
The Storefront Footer Text WordPress plugin through 1.0.1 does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed.
PLUGIN
Through 1
CVE-2021-24607
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24662 - Through 1 Plugin
The Game Server Status WordPress plugin through 1.0 does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page
PLUGIN
Through 1
CVE-2021-24662
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24543 - Through 1 Plugin
The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue.
PLUGIN
Through 1
CVE-2021-24543
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24785 - Through 1 Plugin
The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
PLUGIN
Through 1
CVE-2021-24785
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24642 - Through 1 Plugin
The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. This could allow attackers to make logged in admin change them and could lead to RCE (via a file upload) as well as XSS
PLUGIN
Through 1
CVE-2021-24642
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24595 - Through 1 Plugin
The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack.
PLUGIN
Through 1
CVE-2021-24595
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24617 - Through 1 Plugin
The GamePress WordPress plugin through 1.1.0 does not escape the op_edit POST parameter before outputting it back in multiple Game Option pages, leading to Reflected Cross-Site Scripting issues
PLUGIN
Through 1
CVE-2021-24617
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24615 - Through 1 Plugin
The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks.
PLUGIN
Through 1
CVE-2021-24615
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24415 - Through 1 Plugin
The Polo Video Gallery – Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
PLUGIN
Through 1
CVE-2021-24415
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24563 - Through 1 Plugin
The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
PLUGIN
Through 1
CVE-2021-24563
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24545 - Through 1 Plugin
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.
PLUGIN
Through 1
CVE-2021-24545
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24663 - Through 1 Plugin
The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE
PLUGIN
Through 1
CVE-2021-24663
Risk Score