Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.1

    MEDIUM
    CVE-2021-25062

    The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting... Read more

    Affected Products : orders_tracking_for_woocommerce
    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25061

    The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page.... Read more

    Affected Products : wp_booking_system
    • Published: Jan. 17, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25060

    The Five Star Business Profile and Schema WordPress plugin before 2.1.7 does not have any authorisation and CSRF in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX action, allowing any authenticated users, such as subscri... Read more

    • Published: Feb. 21, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25058

    The Buffer Button WordPress plugin through 1.0 was vulnerable to Authenticated Stored Cross Site Scripting (XSS) within the Twitter username to mention text field.... Read more

    Affected Products : the_buffer_button
    • Published: Feb. 21, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25057

    The Translation Exchange WordPress plugin through 1.0.14 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) within the Project Key text field found in the plugin's settings.... Read more

    Affected Products : translation_exchange
    • Published: Feb. 21, 2022
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-25056

    The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.... Read more

    Affected Products : ninja_forms
    • Published: Jul. 04, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25055

    The FeedWordPress plugin before 2022.0123 is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.... Read more

    Affected Products : feedwordpress
    • Published: Feb. 21, 2022
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25054

    The WPcalc WordPress plugin through 2.1 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability.... Read more

    Affected Products : wpcalc
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25053

    The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.... Read more

    Affected Products : wp_coder
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25052

    The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.... Read more

    Affected Products : button_generator
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25051

    The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.... Read more

    Affected Products : modal_window
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-25050

    The Remove Footer Credit WordPress plugin before 1.0.11 does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.... Read more

    Affected Products : remove_footer_credit
    • Published: Feb. 14, 2022
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-25049

    The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed... Read more

    Affected Products : mobile_events_manager
    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25048

    The KingComposer WordPress plugin through 2.9.6 does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them... Read more

    Affected Products : kingcomposer
    • Published: Apr. 04, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25047

    The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affected by a reflected Cross-Site Scripting (XSS) vulnerability in the wdi_apply_changes admin page, allowing an attacker to perform such attack against any logged in users... Read more

    Affected Products : 10websocial
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25046

    The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS.... Read more

    Affected Products : modern_events_calendar_lite
    • Published: Jan. 17, 2022
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-25045

    The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue... Read more

    Affected Products : asgaros_forum
    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25044

    The Cryptocurrency Pricing list and Ticker WordPress plugin through 1.5 does not sanitise and escape the ccpw_setpage parameter before outputting it back in pages where its shortcode is embed, leading to a Reflected Cross-Site Scripting issue... Read more

    • Published: Oct. 10, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25043

    The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : woocommerce_currency_switcher woocs
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25042

    The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add ... Read more

    • Published: Feb. 28, 2022
    • Modified: Nov. 21, 2024
Showing 20 of 293360 Results