Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.4

    MEDIUM
    CVE-2024-5583

    The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel_direction parameter of testimonials widget in all versions up to, and ... Read more

    Affected Products : the_plus_addons_for_elementor
    • Published: Aug. 22, 2024
    • Modified: Sep. 27, 2024

  • 9.6

    CRITICAL
    CVE-2024-7568

    The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthen... Read more

    Affected Products : favicon_generator
    • Published: Aug. 24, 2024
    • Modified: Sep. 27, 2024

  • 6.4

    MEDIUM
    CVE-2024-2254

    The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user sup... Read more

    Affected Products : rt_easy_builder
    • Published: Aug. 24, 2024
    • Modified: Sep. 26, 2024

  • 6.1

    MEDIUM
    CVE-2023-6987

    The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unaut... Read more

    Affected Products : string_locator
    • Published: Aug. 24, 2024
    • Modified: Sep. 26, 2024

  • 6.4

    MEDIUM
    CVE-2024-7778

    The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.10.36 due to insufficient input sanitization and output escaping. This makes it possible for authenti... Read more

    Affected Products : orbit_fox
    • Published: Aug. 22, 2024
    • Modified: Sep. 26, 2024

  • 6.5

    MEDIUM
    CVE-2024-7848

    The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpk_upvf_update_doc' due to missing validation on the 'docid' user controlle... Read more

    Affected Products : user_private_files
    • Published: Aug. 22, 2024
    • Modified: Sep. 26, 2024

  • 5.3

    MEDIUM
    CVE-2024-6499

    The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 9.7.8. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be abl... Read more

    Affected Products : maxbuttons
    • Published: Aug. 24, 2024
    • Modified: Sep. 26, 2024

  • 6.4

    MEDIUM
    CVE-2024-8241

    The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute of the 'wp:separator' Gutenberg block in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output e... Read more

    Affected Products : nova_blocks
    • Published: Sep. 10, 2024
    • Modified: Sep. 26, 2024

  • 4.3

    MEDIUM
    CVE-2023-2919

    The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated... Read more

    Affected Products : tutor_lms
    • Published: Sep. 10, 2024
    • Modified: Sep. 26, 2024

  • 8.8

    HIGH
    CVE-2024-8428

    The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the 'user_id... Read more

    Affected Products : forumwp
    • Published: Sep. 06, 2024
    • Modified: Sep. 26, 2024

  • 8.8

    HIGH
    CVE-2024-8247

    The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This makes it possible for authenticated a... Read more

    Affected Products : newsletters
    • Published: Sep. 06, 2024
    • Modified: Sep. 26, 2024

  • 4.3

    MEDIUM
    CVE-2024-7622

    The Revision Manager TMC plugin for WordPress is vulnerable to unauthorized arbitrary email sending due to a missing capability check on the _a_ajaxQuickEmailTestCallback() function in all versions up to, and including, 2.8.19. This makes it possible for ... Read more

    Affected Products : revision_manager_tmc
    • Published: Sep. 06, 2024
    • Modified: Sep. 26, 2024

  • 7.5

    HIGH
    CVE-2024-39589

    Multiple invalid pointer dereference vulnerabilities exist in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLC_v3 16bf8bac1a36d95b73e7b8722d0edb8b9c5bb56a. A specially crafted EtherNet/IP request can lead to denial of service. An attacker c... Read more

    Affected Products : openplc_v3_firmware
    • Published: Sep. 18, 2024
    • Modified: Sep. 26, 2024

  • 7.5

    HIGH
    CVE-2024-39590

    Multiple invalid pointer dereference vulnerabilities exist in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLC_v3 16bf8bac1a36d95b73e7b8722d0edb8b9c5bb56a. A specially crafted EtherNet/IP request can lead to denial of service. An attacker c... Read more

    Affected Products : openplc_v3_firmware
    • Published: Sep. 18, 2024
    • Modified: Sep. 26, 2024

  • 7.5

    HIGH
    CVE-2024-36981

    An out-of-bounds read vulnerability exists in the OpenPLC Runtime EtherNet/IP PCCC parser functionality of OpenPLC_v3 b4702061dc14d1024856f71b4543298d77007b88. A specially crafted network request can lead to denial of service. An attacker can send a serie... Read more

    Affected Products : openplc_v3_firmware
    • Published: Sep. 18, 2024
    • Modified: Sep. 26, 2024

  • 7.5

    HIGH
    CVE-2024-36980

    An out-of-bounds read vulnerability exists in the OpenPLC Runtime EtherNet/IP PCCC parser functionality of OpenPLC_v3 b4702061dc14d1024856f71b4543298d77007b88. A specially crafted network request can lead to denial of service. An attacker can send a serie... Read more

    Affected Products : openplc_v3_firmware
    • Published: Sep. 18, 2024
    • Modified: Sep. 26, 2024

  • 4.8

    MEDIUM
    CVE-2024-5799

    The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks.... Read more

    Affected Products : cm_popup
    • Published: Sep. 12, 2024
    • Modified: Sep. 26, 2024

  • 4.8

    MEDIUM
    CVE-2024-6887

    The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even whe... Read more

    • Published: Sep. 12, 2024
    • Modified: Sep. 26, 2024

  • 7.2

    HIGH
    CVE-2024-7766

    The Adicon Server WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks... Read more

    Affected Products : adicon_server
    • Published: Sep. 12, 2024
    • Modified: Sep. 26, 2024

  • 6.4

    MEDIUM
    CVE-2024-5867

    The Delicate theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter within the theme's Button shortcode in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes i... Read more

    Affected Products : delicate
    • Published: Sep. 13, 2024
    • Modified: Sep. 26, 2024
Showing 20 of 291205 Results