Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2021-24928

    The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any a... Read more

    Affected Products : rearrange_woocommerce_products
    • EPSS Score: %0.37
    • Published: Feb. 07, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24927

    The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripti... Read more

    Affected Products : my_calendar my_calendar
    • EPSS Score: %0.21
    • Published: Nov. 29, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24926

    The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : domain_check
    • EPSS Score: %6.29
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24925

    The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the... Read more

    Affected Products : modern_events_calendar_lite
    • EPSS Score: %0.29
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24924

    The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : email_log
    • EPSS Score: %0.21
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24923

    The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue... Read more

    • EPSS Score: %0.21
    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024

  • 9.0

    CRITICAL
    CVE-2021-24922

    The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in admin change them and perform Cross-Site Scripting attacks... Read more

    Affected Products : pixel_cat
    • EPSS Score: %0.11
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24921

    The Advanced Database Cleaner WordPress plugin before 3.0.4 does not sanitise and escape $_GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues... Read more

    Affected Products : advanced_database_cleaner
    • EPSS Score: %0.21
    • Published: Feb. 21, 2022
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24920

    The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed... Read more

    Affected Products : statcounter
    • EPSS Score: %0.21
    • Published: Feb. 28, 2022
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24919

    The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection... Read more

    Affected Products : wicked_folders
    • EPSS Score: %0.65
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24918

    The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript o... Read more

    Affected Products : smash_balloon_social_post_feed
    • EPSS Score: %0.18
    • Published: Nov. 29, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-24917

    The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.... Read more

    Affected Products : wps_hide_login
    • EPSS Score: %76.40
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-24916

    The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.... Read more

    Affected Products : qubely
    • EPSS Score: %3.35
    • Published: Aug. 07, 2023
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24915

    The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sanitise or escape the cg-search-user-name-original parameter before using it in a SQL statement when exporting users from a gallery, which could allow unaut... Read more

    Affected Products : contest_gallery
    • EPSS Score: %74.56
    • Published: Nov. 29, 2021
    • Modified: Nov. 21, 2024

  • 8.0

    HIGH
    CVE-2021-24914

    The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple sub... Read more

    Affected Products : tawk.to_live_chat
    • EPSS Score: %0.10
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24913

    The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary... Read more

    Affected Products : logo_showcase_with_slick_slider
    • EPSS Score: %0.10
    • Published: Feb. 28, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24912

    The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this... Read more

    Affected Products : transposh_wordpress_translation
    • EPSS Score: %0.22
    • Published: Aug. 22, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24911

    The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The mini... Read more

    Affected Products : transposh_wordpress_translation
    • EPSS Score: %0.21
    • Published: Aug. 22, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24910

    The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in t... Read more

    Affected Products : transposh_wordpress_translation
    • EPSS Score: %28.07
    • Published: Aug. 22, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24909

    The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : acf_photo_gallery_field
    • EPSS Score: %0.29
    • Published: Jan. 17, 2022
    • Modified: Nov. 21, 2024
Showing 20 of 291024 Results