Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24426 - Through 1 Plugin
The Backup by 10Web – Backup and Restore Plugin WordPress plugin through 1.0.20 does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue
PLUGIN
Through 1
CVE-2021-24426
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24418 - Through 1 Plugin
The Smooth Scroll Page Up/Down Buttons WordPress plugin through 1.4 does not properly sanitise and validate its psb_positioning settings, allowing high privilege users such as admin to set an XSS payload in it, which will be executed in all pages of the blog
PLUGIN
Through 1
CVE-2021-24418
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24405 - Through 1 Plugin
The Easy Cookies Policy WordPress plugin through 1.6.2 is lacking any capability and CSRF check when saving its settings, allowing any authenticated users (such as subscriber) to change them. If users can't register, this can be done through CSRF. Furthermore, the cookie banner setting is not sanitised or validated before being output in all pages of the frontend and the backend settings one, leading to a Stored Cross-Site Scripting issue.
PLUGIN
Through 1
CVE-2021-24405
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24367 - Through 1 Plugin
The WP Config File Editor WordPress plugin through 1.7.1 was affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability.
PLUGIN
Through 1
CVE-2021-24367
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24349 - Through 1 Plugin
This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.
PLUGIN
Through 1
CVE-2021-24349
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24346 - Through 1 Plugin
The Stock in & out WordPress plugin through 1.0.4 has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue
PLUGIN
Through 1
CVE-2021-24346
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24337 - Through 1 Plugin
The id GET parameter of one of the Video Embed WordPress plugin through 1.0's page (available via forced browsing) is not sanitised, validated or escaped before being used in a SQL statement, allowing low privilege users, such as subscribers, to perform SQL injection.
PLUGIN
Through 1
CVE-2021-24337
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24344 - Through 1 Plugin
The Easy Preloader WordPress plugin through 1.0.0 does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues
PLUGIN
Through 1
CVE-2021-24344
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24333 - Through 1 Plugin
The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them.
PLUGIN
Through 1
CVE-2021-24333
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24328 - Through 1 Plugin
The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well
PLUGIN
Through 1
CVE-2021-24328
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24316 - Through 1 Theme
The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's 's' GET parameter before output it back the page, leading to the Cross-SIte Scripting issue.
THEME
Through 1
CVE-2021-24316
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24301 - Through 1 Plugin
The Hotjar Connecticator WordPress plugin through 1.1.1 is vulnerable to Stored Cross-Site Scripting (XSS) in the 'hotjar script' textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users.
PLUGIN
Through 1
CVE-2021-24301
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24324 - Through 1 Plugin
The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues
PLUGIN
Through 1
CVE-2021-24324
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24325 - Through 1 Plugin
The tab parameter of the settings page of the 404 SEO Redirection WordPress plugin through 1.3 is vulnerable to a reflected Cross-Site Scripting (XSS) issue as user input is not properly sanitised or escaped before being output in an attribute.
PLUGIN
Through 1
CVE-2021-24325
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24236 - Through 1 Plugin
The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid image Content-Type along with a PHP filename and code, leading to RCE.
PLUGIN
Through 1
CVE-2021-24236
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24252 - Through 1 Plugin
The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)
PLUGIN
Through 1
CVE-2021-24252
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24247 - Through 1 Plugin
The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin.
PLUGIN
Through 1
CVE-2021-24247
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24223 - Through 1 Plugin
The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it's generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial.
PLUGIN
Through 1
CVE-2021-24223
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24224 - Through 1 Plugin
The EFBP_verify_upload_file AJAX action of the Easy Form Builder WordPress plugin through 1.0, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE.
PLUGIN
Through 1
CVE-2021-24224
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24174 - Through 1 Plugin
The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups.
PLUGIN
Through 1
CVE-2021-24174
Risk Score