Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.5

    MEDIUM
    CVE-2021-24183

    The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.... Read more

    Affected Products : tutor_lms
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24182

    The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.... Read more

    Affected Products : tutor_lms
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 6.5

    MEDIUM
    CVE-2021-24181

    The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.... Read more

    Affected Products : tutor_lms
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24180

    Unvalidated input and lack of output encoding within the Related Posts for WordPress plugin before 2.0.4 lead to a Reflected Cross-Site Scripting (XSS) vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capab... Read more

    Affected Products : related_posts
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24179

    The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate ... Read more

    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24178

    The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also... Read more

    • Published: May. 06, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24176

    The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard.... Read more

    Affected Products : jh_404_logger
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2021-24175

    The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related use... Read more

    Affected Products : the_plus_addons_for_elementor
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 8.1

    HIGH
    CVE-2021-24174

    The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups.... Read more

    Affected Products : database-backups
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24173

    The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue.... Read more

    Affected Products : vm_backups
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24172

    The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current .... Read more

    Affected Products : vm_backups
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-24170

    The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. This included password hashes, hashed user activation ke... Read more

    Affected Products : user_profile_picture
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24169

    This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS.... Read more

    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2021-24168

    The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. Thi... Read more

    Affected Products : easy_contact_form_pro
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2021-24167

    When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_load_init" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account.... Read more

    Affected Products : web-stat
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 5.8

    MEDIUM
    CVE-2021-24166

    The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connec... Read more

    Affected Products : ninja_forms
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2021-24165

    In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no protection in place.... Read more

    Affected Products : ninja_forms
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 4.3

    MEDIUM
    CVE-2021-24164

    In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clien... Read more

    Affected Products : ninja_forms
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24163

    The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninj... Read more

    Affected Products : ninja_forms
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2021-24162

    In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attack... Read more

    Affected Products : responsive_menu responsive_menu
    • Published: Apr. 05, 2021
    • Modified: Nov. 21, 2024
Showing 20 of 292803 Results