Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.2

    HIGH
    CVE-2021-24394

    An id GET parameter of the Easy Testimonial Manager WordPress plugin through 1.2.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection... Read more

    Affected Products : easy_testimonial_manager
    • EPSS Score: %0.57
    • Published: Sep. 06, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24393

    A c GET parameter of the Comment Highlighter WordPress plugin through 0.13 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.... Read more

    Affected Products : comment_highlighter
    • EPSS Score: %0.57
    • Published: Sep. 06, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24392

    An id GET parameter of the WordPress Membership SwiftCloud.io WordPress plugin through 1.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.... Read more

    Affected Products : club-management-software
    • EPSS Score: %0.57
    • Published: Sep. 06, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24391

    An editid GET parameter of the Cashtomer WordPress plugin through 1.0.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.... Read more

    Affected Products : cashtomer
    • EPSS Score: %0.53
    • Published: Sep. 06, 2021
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-24390

    A proid GET parameter of the WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件 WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection.... Read more

    Affected Products : alipay
    • EPSS Score: %0.57
    • Published: Sep. 06, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24389

    The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Script... Read more

    Affected Products : foodbakery
    • EPSS Score: %13.97
    • Published: Jul. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24388

    In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or esc... Read more

    • EPSS Score: %0.08
    • Published: Jul. 06, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24387

    The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticat... Read more

    Affected Products : real_estate_7
    • EPSS Score: %42.18
    • Published: Jul. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24386

    The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3... Read more

    Affected Products : wp_svg_images
    • EPSS Score: %0.18
    • Published: Jul. 06, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24385

    The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col fun... Read more

    Affected Products : filebird
    • EPSS Score: %9.02
    • Published: Jul. 12, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24384

    The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issue. Even though t... Read more

    Affected Products : joomsport
    • EPSS Score: %4.12
    • Published: Jul. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24383

    The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue... Read more

    Affected Products : wp_go_maps
    • EPSS Score: %0.87
    • Published: Jun. 21, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24382

    The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functi... Read more

    Affected Products : smart_slider smart_slider_3
    • EPSS Score: %0.42
    • Published: Jun. 14, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24381

    The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capabil... Read more

    Affected Products : ninja_forms contact_form
    • EPSS Score: %0.21
    • Published: Oct. 25, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24380

    The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values.... Read more

    Affected Products : shantz_wordpress_qotd
    • EPSS Score: %0.10
    • Published: Aug. 16, 2021
    • Modified: Nov. 21, 2024

  • 5.3

    MEDIUM
    CVE-2021-24379

    The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to... Read more

    Affected Products : comments_like_dislike
    • EPSS Score: %0.22
    • Published: Jun. 21, 2021
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-24378

    The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScrip... Read more

    Affected Products : autoptimize
    • EPSS Score: %0.22
    • Published: Jun. 21, 2021
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2021-24377

    The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in ... Read more

    Affected Products : autoptimize
    • EPSS Score: %0.48
    • Published: Jun. 21, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24376

    The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload ... Read more

    Affected Products : autoptimize
    • EPSS Score: %10.01
    • Published: Jun. 21, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24375

    Lack of authentication or validation in motor_load_more, motor_gallery_load_more, motor_quick_view and motor_project_quick_view AJAX handlers of the Motor WordPress theme before 3.1.0 allows an unauthenticated attacker access to arbitrary files in the ser... Read more

    Affected Products : motor
    • EPSS Score: %2.78
    • Published: Jul. 06, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 292732 Results