Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.4

    MEDIUM
    CVE-2021-24576

    The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion.... Read more

    Affected Products : easy_accordion
    • EPSS Score: %0.18
    • Published: Oct. 11, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24575

    The School Management System – WPSchoolPress WordPress plugin before 2.1.10 does not properly sanitize or use prepared statements before using POST variable in SQL queries, leading to SQL injection in multiple actions available to various authenticated us... Read more

    Affected Products : wpschoolpress
    • EPSS Score: %0.70
    • Published: Nov. 08, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24574

    The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed.... Read more

    Affected Products : simple_banner
    • EPSS Score: %0.21
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24572

    The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. The deletion of a button is not CSRF protected and there is no control to check if the deleted post was a b... Read more

    Affected Products : accept_donations_with_paypal
    • EPSS Score: %0.14
    • Published: Nov. 01, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24571

    The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues... Read more

    Affected Products : hd_quiz
    • EPSS Score: %0.18
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24570

    The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin ... Read more

    Affected Products : accept_donations_with_paypal
    • EPSS Score: %0.16
    • Published: Nov. 01, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24569

    The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripti... Read more

    • EPSS Score: %0.28
    • Published: Sep. 27, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24568

    The AddToAny Share Buttons WordPress plugin before 1.7.46 does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html ... Read more

    Affected Products : addtoany_share_buttons
    • EPSS Score: %0.16
    • Published: Sep. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24567

    The Simple Post WordPress plugin through 1.1 does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.... Read more

    Affected Products : simple_post
    • EPSS Score: %0.24
    • Published: Jan. 16, 2024
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24565

    The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output ... Read more

    Affected Products : contact_form_7_captcha
    • EPSS Score: %0.20
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24564

    The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disall... Read more

    Affected Products : scroll_top
    • EPSS Score: %0.19
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24563

    The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access... Read more

    Affected Products : frontend_uploader
    • EPSS Score: %29.96
    • Published: Oct. 11, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-24562

    The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers and grades... Read more

    Affected Products : lifterlms
    • EPSS Score: %0.61
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24560

    The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : software_license_manager
    • EPSS Score: %0.21
    • Published: Sep. 13, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24558

    The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, ... Read more

    Affected Products : project_status
    • EPSS Score: %0.25
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24557

    The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role.... Read more

    Affected Products : m-vslider
    • EPSS Score: %0.57
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24556

    The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputtin... Read more

    Affected Products : email-subscriber
    • EPSS Score: %1.32
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24555

    The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore... Read more

    Affected Products : diary-availability-calendar
    • EPSS Score: %0.30
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24554

    The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue... Read more

    Affected Products : paytm-pay
    • EPSS Score: %16.23
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24553

    The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present ... Read more

    Affected Products : timeline_calendar
    • EPSS Score: %0.99
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 290985 Results