NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。
Assigner(CNA/発行元):[email protected] この条件を外す
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2021-24123 | Arbitrary file upload in the PowerPress WordPress plugin, versions before 8.3.8, did not verify some of the uploaded feed images (such as the ones from Podcast Artwork section), allowing high privilege accounts (admin+) being able to upload arbitrary files, such as php, leading to RCE. | 7.2 | 1.65% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24124 | Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation. | 6.1 | 1.15% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24125 | Unvalidated input in the Contact Form Submissions WordPress plugin before 1.7.1, could lead to SQL injection in the wpcf7_contact_form GET parameter when submitting a filter request as a high privilege user (admin+) | 7.2 | 1.46% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24126 | Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation. | 5.4 | 0.66% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24127 | Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation. | 5.4 | 0.65% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24128 | Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member. | 5.4 | 0.66% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24129 | Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation. | 5.4 | 0.66% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24130 | Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+). | 7.2 | 1.42% | 2021-03-18 | 2025-05-07 |
| CVE-2021-24131 | Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+). | 7.2 | 1.44% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24132 | The Slider by 10Web WordPress plugin, versions before 1.2.36, in the bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks. | 8.8 | 2.59% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24133 | Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. | 4.3 | 0.47% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24134 | Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed. | 4.8 | 0.65% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24135 | Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote attackers to inject arbitrary JavaScript code or HTML. | 6.1 | 1.08% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24136 | Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL | 5.4 | 0.82% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24137 | Unvalidated input in the Blog2Social WordPress plugin, versions before 6.3.1, lead to SQL Injection in the Re-Share Posts feature, allowing authenticated users to inject arbitrary SQL commands. | 8.8 | 1.50% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24138 | Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user. | 5.5 | 1.23% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24139 | Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter. | 9.8 | 5.42% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24140 | Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test. | 7.2 | 1.21% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24141 | Unvaludated input in the Advanced Database Cleaner plugin, versions before 3.0.2, lead to SQL injection allowing high privilege users (admin+) to perform SQL attacks. | 7.2 | 1.21% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24142 | Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. | 7.2 | 1.24% | 2021-03-18 | 2024-11-21 |