Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2023-4281

    This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.... Read more

    Affected Products : activity_log
    • Published: Sep. 25, 2023
    • Modified: Apr. 23, 2025

  • 7.5

    HIGH
    CVE-2023-4279

    This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.... Read more

    Affected Products : user_activity_log
    • Published: Sep. 04, 2023
    • Modified: Apr. 23, 2025

  • 7.5

    HIGH
    CVE-2023-4278

    The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.... Read more

    Affected Products : masterstudy_lms
    • Published: Sep. 11, 2023
    • Modified: Apr. 23, 2025

  • 4.3

    MEDIUM
    CVE-2023-4269

    The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.... Read more

    Affected Products : user_activity_log
    • Published: Sep. 04, 2023
    • Modified: Apr. 23, 2025

  • 2.7

    LOW
    CVE-2023-4216

    The Orders Tracking for WooCommerce WordPress plugin before 1.2.6 doesn't validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal ... Read more

    Affected Products : orders_tracking_for_woocommerce
    • Published: Sep. 04, 2023
    • Modified: Apr. 23, 2025

  • 4.3

    MEDIUM
    CVE-2023-4209

    The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks.... Read more

    Affected Products : poeditor
    • Published: Aug. 30, 2023
    • Modified: Apr. 23, 2025

  • 4.3

    MEDIUM
    CVE-2023-4150

    The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks... Read more

    Affected Products : user_activity_tracking_and_log
    • Published: Aug. 30, 2023
    • Modified: Apr. 23, 2025

  • 4.8

    MEDIUM
    CVE-2023-4109

    The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.... Read more

    • Published: Aug. 30, 2023
    • Modified: Apr. 23, 2025

  • 4.8

    MEDIUM
    CVE-2023-4060

    The WP Adminify WordPress plugin before 3.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (fo... Read more

    Affected Products : wp_adminify
    • Published: Sep. 11, 2023
    • Modified: Apr. 23, 2025

  • 5.4

    MEDIUM
    CVE-2023-4035

    The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform... Read more

    Affected Products : simple_blog_card
    • Published: Aug. 30, 2023
    • Modified: Apr. 23, 2025

  • 4.8

    MEDIUM
    CVE-2023-4022

    The Herd Effects WordPress plugin before 5.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (f... Read more

    Affected Products : herd_effects
    • Published: Sep. 11, 2023
    • Modified: Apr. 23, 2025

  • 8.8

    HIGH
    CVE-2023-4019

    The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.... Read more

    Affected Products : media_from_ftp
    • Published: Sep. 04, 2023
    • Modified: Apr. 23, 2025

  • 6.5

    MEDIUM
    CVE-2023-4013

    The GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) WordPress plugin before 4.12.5 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF at... Read more

    Affected Products : gdpr_cookie_compliance
    • Published: Aug. 30, 2023
    • Modified: Apr. 23, 2025

  • 9.8

    CRITICAL
    CVE-2023-49954

    The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address.... Read more

    Affected Products : 3cx
    • Published: Dec. 25, 2023
    • Modified: Apr. 23, 2025

  • 7.5

    HIGH
    CVE-2023-49356

    A stack buffer overflow vulnerability in MP3Gain v1.6.2 allows an attacker to cause a denial of service via the WriteMP3GainAPETag function at apetag.c:592.... Read more

    Affected Products : mp3gain
    • Published: Dec. 22, 2023
    • Modified: Apr. 23, 2025

  • 7.5

    HIGH
    CVE-2023-47091

    An issue was discovered in Stormshield Network Security (SNS) SNS 4.3.13 through 4.3.22 before 4.3.23, SNS 4.6.0 through 4.6.9 before 4.6.10, and SNS 4.7.0 through 4.7.1 before 4.7.2. An attacker can overflow the cookie threshold, making an IPsec connecti... Read more

    • Published: Dec. 25, 2023
    • Modified: Apr. 23, 2025

  • 9.1

    CRITICAL
    CVE-2023-44981

    Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authenticat... Read more

    Affected Products : debian_linux zookeeper
    • Published: Oct. 11, 2023
    • Modified: Apr. 23, 2025

  • 5.3

    MEDIUM
    CVE-2023-40236

    In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.... Read more

    Affected Products : virtual_meeting_rooms
    • Published: Dec. 25, 2023
    • Modified: Apr. 23, 2025

  • 8.8

    HIGH
    CVE-2023-40195

    Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user t... Read more

    • Published: Aug. 28, 2023
    • Modified: Apr. 23, 2025

  • 6.1

    MEDIUM
    CVE-2023-3992

    The PostX WordPress plugin before 3.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin... Read more

    Affected Products : postx
    • Published: Aug. 30, 2023
    • Modified: Apr. 23, 2025
Showing 20 of 293605 Results