Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 8.8

    HIGH
    CVE-2021-25036

    The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have acc... Read more

    Affected Products : all_in_one_seo
    • Published: Jan. 17, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25035

    The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting... Read more

    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25034

    The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issues... Read more

    Affected Products : wp_user
    • Published: Feb. 28, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25033

    The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue... Read more

    Affected Products : noptin
    • Published: Feb. 14, 2022
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-25032

    The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the option... Read more

    Affected Products : capabilities
    • Published: Jan. 10, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25031

    The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site ... Read more

    Affected Products : image_hover_effects_ultimate
    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-25030

    The Events Made Easy WordPress plugin before 2.2.36 does not sanitise and escape the search_text parameter before using it in a SQL statement via the eme_searchmail AJAX action, available to any authenticated users. As a result, users with a role as low a... Read more

    Affected Products : events_made_easy
    • Published: Jan. 03, 2022
    • Modified: Nov. 21, 2024

  • 4.8

    MEDIUM
    CVE-2021-25029

    The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed... Read more

    Affected Products : learning_management_system
    • Published: Feb. 07, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25028

    The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue... Read more

    Affected Products : event_tickets
    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25027

    The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue... Read more

    Affected Products : powerpack_addons_for_elementor
    • Published: Jan. 03, 2022
    • Modified: Nov. 21, 2024

  • 5.5

    MEDIUM
    CVE-2021-25026

    The Patreon WordPress plugin before 1.8.2 does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed... Read more

    Affected Products : patreon_wordpress
    • Published: Mar. 14, 2022
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-25025

    The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events... Read more

    Affected Products : eventcalendar
    • Published: Jan. 17, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25024

    The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues... Read more

    Affected Products : eventcalendar
    • Published: Jan. 17, 2022
    • Modified: Nov. 21, 2024

  • 7.2

    HIGH
    CVE-2021-25023

    The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection... Read more

    Affected Products : speed_booster_pack
    • Published: Jan. 03, 2022
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2021-25021

    The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin... Read more

    Affected Products : optimize_my_google_fonts
    • Published: Jan. 03, 2022
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2021-25020

    The CAOS | Host Google Analytics Locally WordPress plugin before 4.1.9 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin... Read more

    • Published: Jan. 03, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25019

    The SEO Plugin by Squirrly SEO WordPress plugin before 11.1.12 does not escape the type parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting... Read more

    Affected Products : seo_plugin_by_squirrly_seo
    • Published: Mar. 21, 2022
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-25018

    The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation... Read more

    Affected Products : ppom_for_woocommerce
    • Published: Feb. 14, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25017

    The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting... Read more

    Affected Products : tutor_lms
    • Published: Jan. 24, 2022
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-25016

    The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting... Read more

    Affected Products : chaty chaty_pro
    • Published: Jan. 03, 2022
    • Modified: Nov. 21, 2024
Showing 20 of 293355 Results