Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2021-24763

    The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in ... Read more

    Affected Products : perfect_survey
    • EPSS Score: %0.41
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24762

    The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.... Read more

    Affected Products : perfect_survey
    • EPSS Score: %83.21
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24761

    The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server.... Read more

    Affected Products : error_log_viewer
    • EPSS Score: %0.28
    • Published: Feb. 01, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24760

    The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.... Read more

    Affected Products : pdf_viewer_block_for_gutenberg
    • EPSS Score: %0.18
    • Published: Oct. 18, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24759

    The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks... Read more

    Affected Products : pdf.js_viewer
    • EPSS Score: %0.18
    • Published: Dec. 06, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24758

    The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections... Read more

    Affected Products : email_log
    • EPSS Score: %0.50
    • Published: Nov. 17, 2021
    • Modified: Nov. 21, 2024

  • 5.3

    MEDIUM
    CVE-2021-24757

    The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images.... Read more

    Affected Products : stylish_price_list
    • EPSS Score: %0.35
    • Published: Nov. 01, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24756

    The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting ... Read more

    Affected Products : wp_system_log
    • EPSS Score: %14.82
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24755

    The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user... Read more

    Affected Products : mycred
    • EPSS Score: %0.66
    • Published: Nov. 29, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24754

    The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue... Read more

    Affected Products : mainwp_child_reports
    • EPSS Score: %0.57
    • Published: Oct. 18, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24753

    The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue... Read more

    Affected Products : rich_review
    • EPSS Score: %0.75
    • Published: Dec. 27, 2021
    • Modified: Nov. 21, 2024

  • 5.7

    MEDIUM
    CVE-2021-24752

    Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPre... Read more

    • EPSS Score: %0.10
    • Published: Oct. 18, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24751

    The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.... Read more

    Affected Products : generateblocks
    • EPSS Score: %0.18
    • Published: Nov. 29, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24750

    The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perf... Read more

    • EPSS Score: %57.60
    • Published: Dec. 21, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24749

    The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack.... Read more

    Affected Products : url_shortify
    • EPSS Score: %0.10
    • Published: Nov. 29, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24748

    The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues... Read more

    Affected Products : email_before_download
    • EPSS Score: %0.70
    • Published: Nov. 29, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24747

    The SEO Booster WordPress plugin before 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections... Read more

    Affected Products : seo_booster
    • EPSS Score: %0.71
    • Published: Dec. 13, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24746

    The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site ... Read more

    Affected Products : sassy_social_share
    • EPSS Score: %4.00
    • Published: Mar. 28, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24745

    The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks.... Read more

    Affected Products : about_author_box
    • EPSS Score: %0.20
    • Published: Nov. 29, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24744

    The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilt... Read more

    Affected Products : contact_forms
    • EPSS Score: %0.21
    • Published: Oct. 25, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 291209 Results