Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2021-24792

    The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard,... Read more

    Affected Products : shiny_buttons
    • EPSS Score: %12.13
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24791

    The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections... Read more

    Affected Products : header_footer_code_manager
    • EPSS Score: %6.31
    • Published: Nov. 08, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24790

    The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as ... Read more

    Affected Products : contact_form_advanced_database
    • EPSS Score: %0.09
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24789

    The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disall... Read more

    Affected Products : flat_preloader
    • EPSS Score: %0.21
    • Published: Nov. 01, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24788

    The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary categories to post... Read more

    Affected Products : batch_cat
    • EPSS Score: %0.18
    • Published: Nov. 08, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24787

    The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed... Read more

    • EPSS Score: %0.21
    • Published: Nov. 17, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24785

    The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.... Read more

    Affected Products : great-quotes
    • EPSS Score: %0.21
    • Published: Oct. 25, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24784

    The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack.... Read more

    Affected Products : wp_admin_logo_changer
    • EPSS Score: %0.14
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24783

    The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts.... Read more

    Affected Products : post_expirator
    • EPSS Score: %0.19
    • Published: Nov. 08, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24782

    The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.... Read more

    Affected Products : flex_local_fonts
    • EPSS Score: %0.21
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24781

    The Image Source Control WordPress plugin before 2.3.1 allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to edit)... Read more

    Affected Products : image_source_control
    • EPSS Score: %0.14
    • Published: Nov. 01, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24780

    The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subsc... Read more

    Affected Products : single_post_exporter
    • EPSS Score: %0.10
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24779

    The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users.... Read more

    Affected Products : wp_debugging
    • EPSS Score: %0.25
    • Published: Oct. 25, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24778

    The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.... Read more

    Affected Products : tradetracker-store
    • EPSS Score: %0.54
    • Published: Mar. 07, 2022
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24777

    The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.... Read more

    Affected Products : contact_form
    • EPSS Score: %0.54
    • Published: Mar. 07, 2022
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24776

    The WP Performance Score Booster WordPress plugin before 2.1 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.... Read more

    Affected Products : wp_performance_score_booster
    • EPSS Score: %0.10
    • Published: Nov. 17, 2021
    • Modified: Nov. 21, 2024

  • 5.3

    MEDIUM
    CVE-2021-24775

    The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts.... Read more

    Affected Products : document_embedder
    • EPSS Score: %0.47
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24774

    The Check & Log Email WordPress plugin before 1.0.3 does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues... Read more

    Affected Products : check_\&_log_email
    • EPSS Score: %0.57
    • Published: Oct. 25, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24772

    The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.... Read more

    Affected Products : stream
    • EPSS Score: %0.53
    • Published: Nov. 17, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24771

    The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even whe... Read more

    Affected Products : inspirational_quote_rotator
    • EPSS Score: %0.21
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 291014 Results