Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.4

    MEDIUM
    CVE-2021-24528

    The FluentSMTP WordPress plugin before 2.0.1 does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cros... Read more

    Affected Products : fluentsmtp
    • EPSS Score: %0.18
    • Published: Aug. 30, 2021
    • Modified: Nov. 21, 2024

  • 10.0

    HIGH
    CVE-2021-24527

    The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore... Read more

    Affected Products : profile_builder
    • EPSS Score: %0.53
    • Published: Aug. 16, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24526

    The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored C... Read more

    Affected Products : form_maker
    • EPSS Score: %0.21
    • Published: Aug. 16, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24525

    The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are ... Read more

    Affected Products : shortcodes_ultimate
    • EPSS Score: %0.18
    • Published: Sep. 20, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24524

    The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.... Read more

    Affected Products : givewp
    • EPSS Score: %0.22
    • Published: Aug. 23, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24523

    The Daily Prayer Time WordPress plugin before 2021.08.10 does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues.... Read more

    Affected Products : daily_prayer_time daily_prayer_time
    • EPSS Score: %0.21
    • Published: Sep. 13, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24522

    The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin acc... Read more

    Affected Products : profilepress
    • EPSS Score: %0.52
    • Published: Aug. 09, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24521

    The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL... Read more

    Affected Products : side_menu
    • EPSS Score: %0.78
    • Published: Aug. 09, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24520

    The Stock in & out WordPress plugin through 1.0.4 lacks proper sanitization before passing variables to an SQL request, making it vulnerable to SQL Injection attacks. Users with a role of contributor or higher can exploit this vulnerability.... Read more

    • EPSS Score: %0.53
    • Published: Aug. 09, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24519

    The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authent... Read more

    • EPSS Score: %0.26
    • Published: Aug. 16, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24518

    The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an... Read more

    • EPSS Score: %0.43
    • Published: Aug. 16, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24517

    The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2021.18 does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html cap... Read more

    Affected Products : stop_spammers
    • EPSS Score: %0.16
    • Published: Sep. 06, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24516

    The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Auth... Read more

    Affected Products : planso_forms
    • EPSS Score: %0.29
    • Published: Oct. 18, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24515

    The Video Gallery WordPress plugin before 1.1.5 does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues... Read more

    Affected Products : video_gallery
    • EPSS Score: %0.21
    • Published: Oct. 25, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24514

    The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed... Read more

    Affected Products : visual_form_builder
    • EPSS Score: %0.21
    • Published: Oct. 25, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24513

    The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capabilit... Read more

    Affected Products : form_builder
    • EPSS Score: %0.18
    • Published: Sep. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24512

    The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos.... Read more

    Affected Products : video_posts_webcam_recorder
    • EPSS Score: %0.21
    • Published: Aug. 16, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24511

    The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.... Read more

    Affected Products : product_feed_on_woocommerce
    • EPSS Score: %0.57
    • Published: Sep. 20, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24510

    The MF Gig Calendar WordPress plugin before 1.2 does not sanitise and escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue... Read more

    Affected Products : mf_gig_calendar
    • EPSS Score: %16.36
    • Published: Sep. 13, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24509

    The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by ... Read more

    Affected Products : page_view_count
    • EPSS Score: %0.16
    • Published: Aug. 09, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 290983 Results