Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24579 - Grid Ajax Action Of The Bold Page Builder Plugin
The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plugin did not contain a suitable gadget to fully exploit the issue, other installed plugins on the blog could allow such issue to be exploited and lead to RCE in some cases.
PLUGIN
Grid Ajax Action Of The Bold Page Builder
CVE-2021-24579
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24602 - Hm Multiple Roles Plugin
The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
PLUGIN
Hm Multiple Roles
CVE-2021-24602
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24565 - Before 0 Plugin
The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue.
PLUGIN
Before 0
CVE-2021-24565
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24562 - Learning Management System Plugin
The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers and grades
PLUGIN
Learning Management System
CVE-2021-24562
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24506 - Before 8 Plugin
The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection.
PLUGIN
Before 8
CVE-2021-24506
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24554 - Paytm Pay Plugin
The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue
PLUGIN
Paytm Pay
CVE-2021-24554
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24553 - Timeline Calendar Plugin
The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin
PLUGIN
Timeline Calendar
CVE-2021-24553
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24552 - Simple Events Calendar Plugin
The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue
PLUGIN
Simple Events Calendar
CVE-2021-24552
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24550 - Broken Link Manager Plugin
The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue
PLUGIN
Broken Link Manager
CVE-2021-24550
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24497 - Giveaway Plugin
The Giveaway WordPress plugin through 1.2.2 is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $post_id on the options.php page.
PLUGIN
Giveaway
CVE-2021-24497
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-34645 - Wp Easycart Plugin
The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0.
PLUGIN
Wp Easycart
CVE-2021-34645
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24521 - Add Sticky Fixed Buttons Plugin
The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack.
PLUGIN
Add Sticky Fixed Buttons
CVE-2021-24521
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24520 - Out Of Stock Message For Woocommerce Plugin
The Stock in & out WordPress plugin through 1.0.4 lacks proper sanitization before passing variables to an SQL request, making it vulnerable to SQL Injection attacks. Users with a role of contributor or higher can exploit this vulnerability.
PLUGIN
Out Of Stock Message For Woocommerce
CVE-2021-24520
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24501 - Before 2 Theme
The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site.
THEME
Before 2
CVE-2021-24501
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24500 - Several Ajax Actions Available In The Workreap Theme
Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary objects on the target site.
THEME
Several Ajax Actions Available In The Workreap
CVE-2021-24500
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-34634 - Sola Newsletters Plugin
The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23.
PLUGIN
Sola Newsletters
CVE-2021-34634
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-34633 - Youtube Feeder Plugin
The Youtube Feeder WordPress plugin is vulnerable to Cross-Site Request Forgery via the printAdminPage function found in the ~/youtube-feeder.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.1.
PLUGIN
Youtube Feeder
CVE-2021-34633
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2021-34639 - Download Manager Plugin
Authenticated File Upload in WordPress Download Manager
PLUGIN
Download Manager
CVE-2021-34639
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-34631 - Newsplugin
The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18.
PLUGIN
Newsplugin
CVE-2021-34631
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-34637 - Post Index Plugin
The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the ~/php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5.
PLUGIN
Post Index
CVE-2021-34637
Risk Score