Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 9.8

    CRITICAL
    CVE-2024-9931

    The Wux Blog Editor plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.0. This is due to missing validation on the token being supplied during the autologin through the plugin. This makes it possible for unau... Read more

    Affected Products :
    • Published: Oct. 26, 2024
    • Modified: Oct. 28, 2024

  • 9.8

    CRITICAL
    CVE-2024-9930

    The Extensions by HocWP Team plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2.3.2. This is due to missing validation on the user being supplied in the 'verify_email' action. This makes it possible for unaut... Read more

    Affected Products :
    • Published: Oct. 26, 2024
    • Modified: Oct. 28, 2024

  • 8.8

    HIGH
    CVE-2024-9890

    The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.3. This is due to an improper capability check in the 'switchUser' function. This makes it possible for authenticated attackers, with subscr... Read more

    Affected Products :
    • Published: Oct. 26, 2024
    • Modified: Oct. 28, 2024

  • 4.3

    MEDIUM
    CVE-2024-9626

    The Editorial Assistant by Sovrn plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_zemanta_set_featured_image' function in versions up to, and including, 1.3.3. This makes it possible fo... Read more

    Affected Products :
    • Published: Oct. 26, 2024
    • Modified: Oct. 28, 2024

  • 6.1

    MEDIUM
    CVE-2024-9613

    The FormFacade – WordPress plugin for Google Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'userId' and 'publishId' parameters in all versions up to, and including, 1.3.6 due to insufficient input sanitization and outp... Read more

    Affected Products : formfacade
    • Published: Oct. 26, 2024
    • Modified: May. 28, 2025

  • 7.2

    HIGH
    CVE-2024-9475

    The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the order_by parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user-supplied parameter and... Read more

    Affected Products : poll_maker
    • Published: Oct. 26, 2024
    • Modified: May. 28, 2025

  • 5.5

    MEDIUM
    CVE-2024-9462

    The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This ma... Read more

    Affected Products : poll_maker
    • Published: Oct. 26, 2024
    • Modified: May. 28, 2025

  • 6.4

    MEDIUM
    CVE-2024-9454

    The PriPre plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, ... Read more

    Affected Products :
    • Published: Oct. 26, 2024
    • Modified: Oct. 28, 2024

  • 6.4

    MEDIUM
    CVE-2024-10091

    The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Comparison Widget in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attr... Read more

    • Published: Oct. 26, 2024
    • Modified: Jan. 16, 2025

  • 9.1

    CRITICAL
    CVE-2024-47821

    pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the res... Read more

    Affected Products : pyload
    • Published: Oct. 25, 2024
    • Modified: Oct. 28, 2024

  • 4.8

    MEDIUM
    CVE-2024-48239

    An issue was discovered in WTCMS 1.0. In the plupload method in \AssetController.class.php, the app parameters aren't processed, resulting in Cross Site Scripting (XSS).... Read more

    Affected Products : wtcms
    • Published: Oct. 25, 2024
    • Modified: Apr. 17, 2025

  • 4.7

    MEDIUM
    CVE-2024-48238

    WTCMS 1.0 is vulnerable to SQL Injection in the edit_post method of /Admin\Controller\NavControl.class.php via the parentid parameter.... Read more

    Affected Products : wtcms
    • Published: Oct. 25, 2024
    • Modified: Apr. 17, 2025

  • 9.8

    CRITICAL
    CVE-2024-48237

    WTCMS 1.0 is vulnerable to Incorrect Access Control in \Common\Controller\HomebaseController.class.php.... Read more

    Affected Products : wtcms
    • Published: Oct. 25, 2024
    • Modified: Apr. 17, 2025

  • 6.5

    MEDIUM
    CVE-2024-48236

    An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file... Read more

    Affected Products : ofcms
    • Published: Oct. 25, 2024
    • Modified: Apr. 18, 2025

  • 6.5

    MEDIUM
    CVE-2024-48235

    An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file.... Read more

    Affected Products : ofcms
    • Published: Oct. 25, 2024
    • Modified: Apr. 18, 2025

  • 4.9

    MEDIUM
    CVE-2024-48234

    An issue was discovered in mipjz 5.0.5. In the push method of app\tag\controller\ApiAdminTag.php the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and output, resulting in Server-side request forgery (... Read more

    Affected Products :
    • Published: Oct. 25, 2024
    • Modified: Oct. 29, 2024

  • 6.1

    MEDIUM
    CVE-2024-48228

    An issue was found in funadmin 5.0.2. The selectfiles method in \backend\controller\sys\Attachh.php directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting (XSS).... Read more

    Affected Products : funadmin
    • Published: Oct. 25, 2024
    • Modified: Jun. 10, 2025

  • 6.1

    MEDIUM
    CVE-2024-48396

    AIML Chatbot 1.0 (fixed in 2.0) is vulnerable to Cross Site Scripting (XSS). The vulnerability is exploited through the message input field, where attackers can inject malicious HTML or JavaScript code. The chatbot fails to sanitize these inputs, leading ... Read more

    Affected Products :
    • Published: Oct. 25, 2024
    • Modified: Oct. 30, 2024

  • 4.8

    MEDIUM
    CVE-2024-48233

    mipjz 5.0.5 is vulnerable to Cross Site Scripting (XSS) in \app\setting\controller\ApiAdminSetting.php via the ICP parameter.... Read more

    Affected Products : mipjz
    • Published: Oct. 25, 2024
    • Modified: Jul. 07, 2025

  • 4.9

    MEDIUM
    CVE-2024-48232

    An issue was found in mipjz 5.0.5. In the mipPost method of \app\setting\controller\ApiAdminTool.php, the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and output, resulting in a Server-side request fo... Read more

    Affected Products : mipjz
    • Published: Oct. 25, 2024
    • Modified: Jul. 07, 2025
Showing 20 of 294505 Results