Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-4383
Publication date:
07/06/2023
The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to page content injection in versions up to, and including, 5.5. This is due to missing capability checks in the plugin's page-editing functionality. This makes it possible for low-authenticated attackers, such as subscribers, to edit/create any page or post on the blog.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4948
Publication date:
07/06/2023
The FlyingPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 3.9.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to interact with the plugin in ways administrators are intended to. One action (save_config) allows for the configuration of an external CDN. This could be used to include malicious javascript from a source controlled by the attacker.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4949
Publication date:
07/06/2023
The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible.
Severity CVSS v4.0: Pending analysis
Last modification:
12/01/2024

CVE-2022-4950
Publication date:
07/06/2023
Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2023-33601
Publication date:
07/06/2023
An arbitrary file upload vulnerability in /admin.php?c=upload of phpok v6.4.100 allows attackers to execute arbitrary code via a crafted PHP file.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2023-33604
Publication date:
07/06/2023
Imperial CMS v7.5 was discovered to contain an arbitrary file deletion vulnerability via the DelspReFile function in /sp/ListSp.php. This vulnerability is exploited by attackers via a crafted POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2025

CVE-2023-3124
Publication date:
07/06/2023
The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_page_option function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-4371
Publication date:
07/06/2023
The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Setting Changs in versions up to, and including, 5.5. This is due to lacking both a security nonce and a capabilities check. This makes it possible for low-authenticated attackers to change plugin settings even when they do not have the capabilities to do so.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-4370
Publication date:
07/06/2023
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-4369
Publication date:
07/06/2023
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Content Injection in versions up to, and including, 18.2. This is due to lacking authorization protections, checks against users editing other's posts, and lacking a security nonce, all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to edit the content and title of every page on the site.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-4368
Publication date:
07/06/2023
The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-4362
Publication date:
07/06/2023
The Kiwi Social Share plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the kiwi_social_share_get_option() function called via the kiwi_social_share_get_option AJAX action in version 2.1.0. This makes it possible for unauthenticated attackers to read and modify arbitrary options on a WordPress site that can be used for complete site takeover. This was a previously fixed vulnerability that was reintroduced in this version.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023
Subscribe to Vulnerabilities