Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24216 - All In One Wp Migration Plugin
The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.
PLUGIN
All In One Wp Migration
CVE-2021-24216
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0411 - Asgaros Forum Plugin
The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection
PLUGIN
Asgaros Forum
CVE-2022-0411
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-23911 - Testimonial Plugin
The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection
PLUGIN
Testimonial
CVE-2022-23911
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0383 - Before 11 Plugin
The WP Review Slider WordPress plugin before 11.0 does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks
PLUGIN
Before 11
CVE-2022-0383
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24864 - Before 4 Plugin
The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue
PLUGIN
Before 4
CVE-2021-24864
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24803 - Core Tweaks Wp Setup Plugin
The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks
PLUGIN
Core Tweaks Wp Setup
CVE-2021-24803
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24704 - Orange Form Plugin
In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually exploitable and could allow attackers to make a logged in admin delete arbitrary posts for example
PLUGIN
Orange Form
CVE-2021-24704
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24823 - Support Board Plugin
The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files
PLUGIN
Support Board
CVE-2021-24823
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-25307 - Wp Statistics Plugin
The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.
PLUGIN
Wp Statistics
CVE-2022-25307
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-25306 - Wp Statistics Plugin
The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the browser parameter found in the ~/includes/class-wp-statistics-visitor.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.
PLUGIN
Wp Statistics
CVE-2022-25306
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-25305 - Wp Statistics Plugin
The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the IP parameter found in the ~/includes/class-wp-statistics-ip.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.
PLUGIN
Wp Statistics
CVE-2022-25305
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0134 - Before 0 Plugin
The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack
PLUGIN
Before 0
CVE-2022-0134
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0255 - Database Backup For Plugin
The Database Backup for WordPress plugin before 2.5.1 does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue
PLUGIN
Database Backup For
CVE-2022-0255
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0228 - Before 4 Plugin
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection
PLUGIN
Before 4
CVE-2022-0228
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4208 - Exportfeed Plugin
The ExportFeed WordPress plugin through 2.0.1.0 does not sanitise and escape the product_id POST parameter before using it in a SQL statement, leading to a SQL injection vulnerability exploitable by high privilege users
PLUGIN
Exportfeed
CVE-2021-4208
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25082 - Before 4 Plugin
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
PLUGIN
Before 4
CVE-2021-25082
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2021-25069 - Before 3 Plugin
The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue
PLUGIN
Before 3
CVE-2021-25069
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4134 - Fancy Product Designer Plugin
The Fancy Product Designer WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the ID parameter found in the ~/inc/api/class-view.php file which allows attackers with administrative level permissions to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 4.7.4.
PLUGIN
Fancy Product Designer
CVE-2021-4134
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0190 - Before 1 Plugin
The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.6 is affected by a SQL Injection in the id parameter of the delete action.
PLUGIN
Before 1
CVE-2022-0190
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0214 - Custom Popup Builder Plugin
The Custom Popup Builder WordPress plugin before 1.3.1 autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog
PLUGIN
Custom Popup Builder
CVE-2022-0214
Risk Score