{"vulnerability": "CVE-2021-2478", "sightings": [{"uuid": "c6701a02-3f53-43cc-9374-d439508933cb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24786", "type": "seen", "source": "MISP/50b5e33f-6d58-4100-9a38-c66a7870dc81", "content": "", "creation_timestamp": "2024-10-21T15:07:32.000000Z"}, {"uuid": "a9b11265-0361-41ea-bcca-f72d2560e793", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24787", "type": "seen", "source": "https://t.me/cibsecurity/32494", "content": "\u203c CVE-2021-24787 \u203c\n\nThe Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-17T16:26:39.000000Z"}, {"uuid": "eded78f3-ae95-4c78-b737-afefe40c12a9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24786", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3mdloqb7oo72i", "content": "", "creation_timestamp": "2026-01-29T21:02:28.062139Z"}, {"uuid": "6137f845-4914-47e1-8021-f47978e77db8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24786", "type": "seen", "source": "https://t.me/cibsecurity/34850", "content": "\u203c CVE-2021-24786 \u203c\n\nThe Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the \"orderby\" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-03T16:44:00.000000Z"}, {"uuid": "7f6e33a8-ce86-4dcc-be94-07202e9ca98c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24782", "type": "seen", "source": "https://t.me/cibsecurity/33797", "content": "\u203c CVE-2021-24782 \u203c\n\nThe Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-13T14:22:02.000000Z"}, {"uuid": "72bf0a24-0c49-4683-9c8c-8147abb5aa44", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24784", "type": "seen", "source": "https://t.me/cibsecurity/33814", "content": "\u203c CVE-2021-24784 \u203c\n\nThe WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-13T14:24:11.000000Z"}, {"uuid": "e214b721-75b6-459c-9a9a-32d2d5a39642", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24780", "type": "seen", "source": "https://t.me/cibsecurity/33823", "content": "\u203c CVE-2021-24780 \u203c\n\nThe Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able to export an arbitrary post/page (such as private and password protected) via a direct URL\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-12-13T14:25:50.000000Z"}, {"uuid": "0d77b971-25f0-414c-91c9-c2304cd134b3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24789", "type": "seen", "source": "https://t.me/cibsecurity/31518", "content": "\u203c CVE-2021-24789 \u203c\n\nThe Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-01T11:20:55.000000Z"}]}