Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
Assigner (CNA / source):[email protected] Remove this filter
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2015-10001 | The WP-Stats WordPress plugin before 2.52 does not have CSRF check when saving its settings, and did not escape some of them when outputting them, allowing attacker to make logged in high privilege users change them and set Cross-Site Scripting payloads | 4.3 | 0.49% | 2021-11-01 | 2024-11-21 |
| CVE-2015-10140 | The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files. | 8.8 | 0.95% | 2025-07-22 | 2026-01-09 |
| CVE-2015-20019 | The Content text slider on post WordPress plugin before 6.9 does not sanitise and escape the Title and Message/Content settings, which could lead to Cross-Site Scripting issues | 5.4 | 0.88% | 2021-11-01 | 2024-11-21 |
| CVE-2015-20067 | The WP Attachment Export WordPress plugin before 0.2.4 does not have proper access controls, allowing unauthenticated users to download the XML data that holds all the details of attachments/posts on a Wordpress | 7.5 | 8.19% | 2021-11-01 | 2024-11-21 |
| CVE-2015-20105 | The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues | 9.6 | 0.95% | 2021-12-02 | 2024-11-21 |
| CVE-2015-20106 | The ClickBank Affiliate Ads WordPress plugin through 1.20 does not escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | 4.8 | 0.68% | 2021-12-02 | 2024-11-21 |
| CVE-2017-20008 | The myCred WordPress plugin before 1.7.8 does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting | 6.1 | 0.88% | 2021-11-29 | 2024-11-21 |
| CVE-2018-25019 | The LearnDash LMS WordPress plugin before 2.5.4 does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server | 7.5 | 1.53% | 2021-11-01 | 2024-11-21 |
| CVE-2018-25095 | The Duplicator WordPress plugin before 1.3.0 does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server. | 9.8 | 0.92% | 2024-01-08 | 2026-02-02 |
| CVE-2019-25060 | The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site. | 5.3 | 1.73% | 2022-05-09 | 2024-11-21 |
| CVE-2020-35012 | The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to an SQL Injection | 7.2 | 1.48% | 2021-12-01 | 2024-11-21 |
| CVE-2020-35037 | The Events Manager WordPress plugin before 5.9.8 does not sanitise and escape some search parameter before outputing them in pages, which could lead to Cross-Site Scripting issues | 6.1 | 0.88% | 2021-12-01 | 2024-11-21 |
| CVE-2020-36503 | The Connections Business Directory WordPress plugin before 9.7 does not validate or sanitise some connections' fields, which could lead to a CSV injection issue | 8.0 | 1.21% | 2021-11-01 | 2024-11-21 |
| CVE-2020-36504 | The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check in place when deleting a quiz, which could allow an attacker to make a logged in admin delete arbitrary quiz on the blog | 6.5 | 0.65% | 2021-11-01 | 2024-11-21 |
| CVE-2020-36505 | The Delete All Comments Easily WordPress plugin through 1.3 is lacking Cross-Site Request Forgery (CSRF) checks, which could result in an unauthenticated attacker making a logged in admin delete all comments from the blog. | 6.5 | 0.60% | 2021-11-01 | 2024-11-21 |
| CVE-2020-36510 | The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before outputing it back in the response via the cb_s_a AJAX action, leading to a Reflected Cross-Site Scripting | 6.1 | 2.58% | 2022-02-28 | 2024-11-21 |
| CVE-2020-36656 | The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks. | 5.4 | 0.51% | 2023-02-21 | 2025-04-23 |
| CVE-2020-36666 | The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before | 8.8 | 0.91% | 2023-03-27 | 2025-02-19 |
| CVE-2021-24123 | Arbitrary file upload in the PowerPress WordPress plugin, versions before 8.3.8, did not verify some of the uploaded feed images (such as the ones from Podcast Artwork section), allowing high privilege accounts (admin+) being able to upload arbitrary files, such as php, leading to RCE. | 7.2 | 1.65% | 2021-03-18 | 2024-11-21 |
| CVE-2021-24124 | Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation. | 6.1 | 1.15% | 2021-03-18 | 2024-11-21 |