Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24546 - Before 1 Plugin
The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code
PLUGIN
Before 1
CVE-2021-24546
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24651 - Before 3 Plugin
The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.
PLUGIN
Before 3
CVE-2021-24651
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24465 - Meow Gallery Plugin
The Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.
PLUGIN
Meow Gallery
CVE-2021-24465
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-34636 - Woocommerce Sales Timers Plugin
The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.
PLUGIN
Woocommerce Sales Timers
CVE-2021-34636
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-36880 - Ulisting Plugin
Unauthenticated SQL Injection (SQLi) vulnerability in WordPress uListing plugin (versions
PLUGIN
Ulisting
CVE-2021-36880
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-36874 - Ulisting Plugin
Authenticated Insecure Direct Object References (IDOR) vulnerability in WordPress uListing plugin (versions
PLUGIN
Ulisting
CVE-2021-36874
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24639 - Before 4 Plugin
The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.
PLUGIN
Before 4
CVE-2021-24639
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24636 - Print My Blog Plugin
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link
PLUGIN
Print My Blog
CVE-2021-24636
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24663 - Simple Schools Staff Directory Plugin
The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE
PLUGIN
Simple Schools Staff Directory
CVE-2021-24663
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24606 - Availability Calendar Plugin
The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+
PLUGIN
Availability Calendar
CVE-2021-24606
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24404 - Wp Board Plugin
The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice.
PLUGIN
Wp Board
CVE-2021-24404
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24511 - Ajax Functionality In The Product Feed On Woocommerce Plugin
The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Ajax Functionality In The Product Feed On Woocommerce
CVE-2021-24511
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24403 - Wpagecontact Plugin
The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors
PLUGIN
Wpagecontact
CVE-2021-24403
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24402 - Wp Icommerce Plugin
The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors
PLUGIN
Wp Icommerce
CVE-2021-24402
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24401 - Wp Domain Redirect Plugin
The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Wp Domain Redirect
CVE-2021-24401
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24400 - Wp Display Users Plugin
The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Wp Display Users
CVE-2021-24400
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24399 - Sorter Plugin
The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Sorter
CVE-2021-24399
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24398 - Responsive 3d Slider Plugin
The Add new scene functionality in the Responsive 3D Slider WordPress plugin through 1.2 uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query is ran twice.
PLUGIN
Responsive 3d Slider
CVE-2021-24398
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24397 - Microcopy Plugin
The edit functionality in the MicroCopy WordPress plugin through 1.1.0 makes a get request to fetch the related option. The id parameter used is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Microcopy
CVE-2021-24397
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24396 - Gseor Plugin
A pageid GET parameter of the GSEOR – WordPress SEO Plugin WordPress plugin through 1.3 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Gseor
CVE-2021-24396
Risk Score