Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24194 - In The Login Protection Limit Failed Login Attempts Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login Protection - Limit Failed Login Attempts WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
In The Login Protection Limit Failed Login Attempts
CVE-2021-24194
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24193 - In The Visitor Traffic Real Time Statistics Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
In The Visitor Traffic Real Time Statistics
CVE-2021-24193
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24192 - In The Tree Sitemap Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
In The Tree Sitemap
CVE-2021-24192
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24278 - In The Redirection For Contact Form 7 Plugin
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
PLUGIN
In The Redirection For Contact Form 7
CVE-2021-24278
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24191 - Site Under Construction Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Maintenance Mode & Site Under Construction WordPress plugin before 1.8.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
Site Under Construction
CVE-2021-24191
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24190 - In The Woocommerce Conditional Marketing Mailer Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WooCommerce Conditional Marketing Mailer WordPress plugin before 1.5.2, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
In The Woocommerce Conditional Marketing Mailer
CVE-2021-24190
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24189 - Google Recaptcha For Admin Login Page Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Captchinoo, Google recaptcha for admin login page WordPress plugin before 2.4, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
Google Recaptcha For Admin Login Page
CVE-2021-24189
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24188 - No Right Click Plugin
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WP Content Copy Protection & No Right Click WordPress plugin before 3.1.5, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
PLUGIN
No Right Click
CVE-2021-24188
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24253 - Classyfrieds Plugin
The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE.
PLUGIN
Classyfrieds
CVE-2021-24253
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24179 - Easy Listing Directories For Wordpress Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE.
PLUGIN
Easy Listing Directories For Wordpress
CVE-2021-24179
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24178 - Easy Listing Directories For Wordpress Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues.
PLUGIN
Easy Listing Directories For Wordpress
CVE-2021-24178
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24254 - College Publisher Import Plugin
The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack.
PLUGIN
College Publisher Import
CVE-2021-24254
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24252 - Event Banner Plugin
The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded)
PLUGIN
Event Banner
CVE-2021-24252
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24248 - Easy Listing Directories For Wordpress Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE
PLUGIN
Easy Listing Directories For Wordpress
CVE-2021-24248
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-29447 - WordPress Core
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
CORE
WordPress Core
CVE-2021-29447
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24230 - Ck Scan Team Identified A Cross Site Request Forgery Vulnerability In The Patreon Plugin
The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.
PLUGIN
Ck Scan Team Identified A Cross Site Request Forgery Vulnerability In The Patreon
CVE-2021-24230
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24224 - Easy Form Builder By Bitware Plugin
The EFBP_verify_upload_file AJAX action of the Easy Form Builder WordPress plugin through 1.0, available to authenticated users, does not have any security in place to verify uploaded files, allowing low privilege users to upload arbitrary files, leading to RCE.
PLUGIN
Easy Form Builder By Bitware
CVE-2021-24224
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24221 - Before 7 Plugin
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.
PLUGIN
Before 7
CVE-2021-24221
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24218 - Settings Ajax Actions Of The Facebook For Plugin
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
PLUGIN
Settings Ajax Actions Of The Facebook For
CVE-2021-24218
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24217 - Action Function Of The Facebook For Plugin
The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
PLUGIN
Action Function Of The Facebook For
CVE-2021-24217
Risk Score