Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-24227 - Jetpack Scan Team Identified A Local File Disclosure Vulnerability In The Patreon Plugin
The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials and cryptographic keys used in the generation of nonces and cookies.
PLUGIN
Jetpack Scan Team Identified A Local File Disclosure Vulnerability In The Patreon
CVE-2021-24227
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24226 - In The Accessally Plugin
In the AccessAlly WordPress plugin before 3.5.7, the file "resource/frontend/product/product-shortcode.php" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode, no login or administrator role is required.
PLUGIN
In The Accessally
CVE-2021-24226
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24198 - Table Charts Premium Plugin
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table.
PLUGIN
Table Charts Premium
CVE-2021-24198
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24197 - Table Charts Premium Plugin
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table.
PLUGIN
Table Charts Premium
CVE-2021-24197
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24209 - Before 1 Plugin
The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.
PLUGIN
Before 1
CVE-2021-24209
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24184 - Elearning And Online Course Solution Plugin
Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileges among many other actions.
PLUGIN
Elearning And Online Course Solution
CVE-2021-24184
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24174 - Database Backups Plugin
The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups.
PLUGIN
Database Backups
CVE-2021-24174
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24163 - Drag And Drop Form Builder For Wordpress Plugin
The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2021-24163
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24162 - Responsive Menu Plugin
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site.
PLUGIN
Responsive Menu
CVE-2021-24162
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24161 - Responsive Menu Plugin
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site.
PLUGIN
Responsive Menu
CVE-2021-24161
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24160 - Responsive Menu Plugin
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, subscribers could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site.
PLUGIN
Responsive Menu
CVE-2021-24160
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24159 - Contact Form 7 Plugin
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.
PLUGIN
Contact Form 7
CVE-2021-24159
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24170 - Users In The User Profile Picture Plugin
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.
PLUGIN
Users In The User Profile Picture
CVE-2021-24170
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24150 - Before 2 Plugin
The LikeBtn WordPress Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.32 was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF).
PLUGIN
Before 2
CVE-2021-24150
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24155 - Backup Guard Plugin
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.
PLUGIN
Backup Guard
CVE-2021-24155
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-21389 - To Build A Community Site Plugin
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress from 5.0.0 before 7.2.1 it's possible for a non-privileged, regular user to obtain administrator rights by exploiting an issue in the REST API members endpoint. The vulnerability has been fixed in BuddyPress 7.2.1. Existing installations of the plugin should be updated to this version to mitigate the issue.
PLUGIN
To Build A Community Site
CVE-2021-21389
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24149 - Unvalidated Input In The Modern Events Calendar Lite Plugin
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue.
PLUGIN
Unvalidated Input In The Modern Events Calendar Lite
CVE-2021-24149
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24146 - Lack Of Authorisation Checks In The Modern Events Calendar Lite Plugin
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.
PLUGIN
Lack Of Authorisation Checks In The Modern Events Calendar Lite
CVE-2021-24146
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24145 - Arbitrary File Upload In The Modern Events Calendar Lite Plugin
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request.
PLUGIN
Arbitrary File Upload In The Modern Events Calendar Lite
CVE-2021-24145
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24142 - Unvaludated Input In The 301 Redirects Easy Redirect Manager Plugin
Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.
PLUGIN
Unvaludated Input In The 301 Redirects Easy Redirect Manager
CVE-2021-24142
Risk Score