Latest CVE Feed

Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.2

    HIGH
    CVE-2021-24254

    The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be expl... Read more

    Affected Products : college_publisher_import
    • EPSS Score: %0.91
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24253

    The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add ... Read more

    Affected Products : classyfrieds
    • EPSS Score: %1.12
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24252

    The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used v... Read more

    Affected Products : event_banner
    • EPSS Score: %1.00
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24251

    The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change... Read more

    • EPSS Score: %0.14
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24250

    The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of t... Read more

    • EPSS Score: %0.19
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24249

    The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by ... Read more

    • EPSS Score: %0.12
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24248

    The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php... Read more

    • EPSS Score: %0.88
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24247

    The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin setti... Read more

    Affected Products : contact_form_check_tester
    • EPSS Score: %0.34
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24246

    The Workscout Core WordPress plugin before 1.3.4, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues... Read more

    Affected Products : workscout workscout_core
    • EPSS Score: %0.16
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24245

    The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-... Read more

    Affected Products : stop_spammers
    • EPSS Score: %17.94
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24244

    An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email).... Read more

    Affected Products : wpbakery_page_builder_clipboard
    • EPSS Score: %0.19
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24243

    An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be tri... Read more

    Affected Products : wpbakery_page_builder_clipboard
    • EPSS Score: %0.16
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.5

    MEDIUM
    CVE-2021-24242

    The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include a... Read more

    Affected Products : tutor_lms
    • EPSS Score: %0.22
    • Published: Apr. 22, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24241

    The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.... Read more

    Affected Products : advanced_custom_fields
    • EPSS Score: %0.63
    • Published: Apr. 22, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24240

    The Business Hours Pro WordPress plugin through 5.5.0 allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability.... Read more

    Affected Products : business_hours_pro
    • EPSS Score: %8.07
    • Published: Apr. 22, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24239

    The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin before 3.7.0.1 does not sanitise the invitaion_code GET parameter when outputting it in the Activation Code page, leading to a reflected Cr... Read more

    Affected Products : pie_register
    • EPSS Score: %4.60
    • Published: Apr. 22, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24238

    The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not ensure that the requested property to be deleted belong to the user making the request, allowing any authenticated users to delete arbitrary properties by tampering with the prop... Read more

    Affected Products : findeo realteo
    • EPSS Score: %0.30
    • Published: Apr. 22, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24237

    The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflecte... Read more

    Affected Products : findeo realteo
    • EPSS Score: %63.26
    • Published: Apr. 22, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24236

    The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only checks for the Content-Type in the request to forbid dangerous files. This allows unauthenticated attackers to upload arbitrary files by using a valid ima... Read more

    Affected Products : imagements
    • EPSS Score: %74.93
    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24235

    The Goto WordPress theme before 2.0 does not sanitise the keywords and start_date GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue.... Read more

    Affected Products : goto
    • EPSS Score: %26.73
    • Published: Apr. 22, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 290978 Results