Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-25068 - Sync Woocommerce Product Feed To Google Shopping Plugin
The Sync WooCommerce Product feed to Google Shopping WordPress plugin through 1.2.4 uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard
PLUGIN
Sync Woocommerce Product Feed To Google Shopping
CVE-2021-25068
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25064 - Wow Countdowns Plugin
The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection.
PLUGIN
Wow Countdowns
CVE-2021-25064
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0889 - Ninja Forms File Uploads Extension Plugin
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.
PLUGIN
Ninja Forms File Uploads Extension
CVE-2022-0889
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0834 - Amelia Plugin
The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into. This affects versions up to and including 1.0.46.
PLUGIN
Amelia
CVE-2022-0834
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0687 - Before 1 Plugin
The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role.
PLUGIN
Before 1
CVE-2022-0687
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0229 - S Google Authenticator Plugin
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
PLUGIN
S Google Authenticator
CVE-2022-0229
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24905 - Advanced Contact Form 7 Db Plugin
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.
PLUGIN
Advanced Contact Form 7 Db
CVE-2021-24905
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-25602 - Responsive Menu Plugin
Nonce token leak vulnerability leading to arbitrary file upload, theme deletion, plugin settings change discovered in Responsive Menu WordPress plugin (versions
PLUGIN
Responsive Menu
CVE-2022-25602
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-22735 - Simple Quotation Plugin
The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks
PLUGIN
Simple Quotation
CVE-2022-22735
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0478 - Before 3 Plugin
The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks
PLUGIN
Before 3
CVE-2022-0478
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24959 - Wp Email Users Plugin
The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
PLUGIN
Wp Email Users
CVE-2021-24959
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0439 - Before 5 Plugin
The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.
PLUGIN
Before 5
CVE-2022-0439
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2022-0410 - Before 5 Plugin
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.6 does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection
PLUGIN
Before 5
CVE-2022-0410
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0440 - Catch Themes Demo Import Plugin
The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog (ie DISALLOW_UNFILTERED_HTML, DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants set to true)
PLUGIN
Catch Themes Demo Import
CVE-2022-0440
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0420 - Before 5 Plugin
The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks
PLUGIN
Before 5
CVE-2022-0420
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0267 - Before 5 Plugin
The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection
PLUGIN
Before 5
CVE-2022-0267
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2021-24952 - Before 4 Plugin
The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks.
PLUGIN
Before 4
CVE-2021-24952
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2021-25087 - Download Manager Plugin
The Download Manager WordPress plugin before 3.2.35 does not have any authorisation checks in some of the REST API endpoints, allowing unauthenticated attackers to call them, which could lead to sensitive information disclosure, such as posts passwords (fixed in 3.2.24) and files Master Keys (fixed in 3.2.25).
PLUGIN
Download Manager
CVE-2021-25087
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24778 - Test Parameter Of The Xmlfeed In The Tradetracker Store Plugin
The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Test Parameter Of The Xmlfeed In The Tradetracker Store
CVE-2021-24778
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24777 - View Submission Functionality In The Hotscot Contact Form Plugin
The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.
PLUGIN
View Submission Functionality In The Hotscot Contact Form
CVE-2021-24777
Risk Score