Latest CVE Feed

Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
  • 5.4

    MEDIUM
    CVE-2021-24950

    The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and... Read more

    Affected Products : insight_core
    • EPSS Score: %0.14
    • Published: Mar. 14, 2022
    • Modified: Nov. 21, 2024
  • 9.8

    CRITICAL
    CVE-2021-24949

    The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection... Read more

    Affected Products : the_plus_addons_for_elementor
    • EPSS Score: %1.50
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024
  • 7.5

    HIGH
    CVE-2021-24948

    The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft pos... Read more

    Affected Products : the_plus_addons_for_elementor
    • EPSS Score: %2.73
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024
  • 6.5

    MEDIUM
    CVE-2021-24947

    The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrar... Read more

    Affected Products : responsive_vector_maps
    • EPSS Score: %8.08
    • Published: Feb. 07, 2022
    • Modified: Nov. 21, 2024
  • 9.8

    CRITICAL
    CVE-2021-24946

    The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL... Read more

    Affected Products : modern_events_calendar_lite
    • EPSS Score: %60.14
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024
  • 8.0

    HIGH
    CVE-2021-24945

    The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses ... Read more

    Affected Products : like_button_rating
    • EPSS Score: %0.14
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024
  • 4.8

    MEDIUM
    CVE-2021-24944

    The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.... Read more

    Affected Products : absolutely_glamorous_custom_admin
    • EPSS Score: %0.21
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024
  • 9.8

    CRITICAL
    CVE-2021-24943

    The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, ... Read more

    • EPSS Score: %55.38
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024
  • 6.1

    MEDIUM
    CVE-2021-24941

    The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cros... Read more

    • EPSS Score: %0.21
    • Published: Dec. 21, 2021
    • Modified: Nov. 21, 2024
  • 6.1

    MEDIUM
    CVE-2021-24940

    The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : persian-woocommerce
    • EPSS Score: %1.89
    • Published: Mar. 14, 2022
    • Modified: Nov. 21, 2024
  • 6.1

    MEDIUM
    CVE-2021-24939

    The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripti... Read more

    Affected Products : loginwp
    • EPSS Score: %0.21
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024
  • 6.1

    MEDIUM
    CVE-2021-24938

    The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scrip... Read more

    Affected Products : woocommerce_currency_switcher woocs
    • EPSS Score: %0.29
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024
  • 6.1

    MEDIUM
    CVE-2021-24937

    The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : _page_speed_booster_project
    • EPSS Score: %0.21
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024
  • 8.0

    HIGH
    CVE-2021-24936

    The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks... Read more

    Affected Products : wp_extra_file_types
    • EPSS Score: %0.11
    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024
  • 6.1

    MEDIUM
    CVE-2021-24935

    The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflect... Read more

    Affected Products : wp_google_fonts
    • EPSS Score: %0.29
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024
  • 6.1

    MEDIUM
    CVE-2021-24934

    The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : visual_css_style_editor
    • EPSS Score: %3.75
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024
  • 5.4

    MEDIUM
    CVE-2021-24933

    The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting iss... Read more

    Affected Products : dynamic_widgets
    • EPSS Score: %0.21
    • Published: Feb. 28, 2022
    • Modified: Nov. 21, 2024
  • 6.1

    MEDIUM
    CVE-2021-24932

    The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue.... Read more

    Affected Products : auto_featured_image
    • EPSS Score: %0.21
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024
  • 9.8

    CRITICAL
    CVE-2021-24931

    The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL... Read more

    • EPSS Score: %71.97
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024
  • 5.4

    MEDIUM
    CVE-2021-24930

    The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue... Read more

    Affected Products : bookly
    • EPSS Score: %0.18
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 291024 Results