Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2021-24564
Publication date:
23/08/2021
The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.
Severity CVSS v4.0: Pending analysis
Last modification:
27/08/2021

CVE-2021-24602
Publication date:
23/08/2021
The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2022

CVE-2021-24565
Publication date:
23/08/2021
The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue.
Severity CVSS v4.0: Pending analysis
Last modification:
28/07/2022

CVE-2021-24531
Publication date:
23/08/2021
The Charitable – Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24497
Publication date:
23/08/2021
The Giveaway WordPress plugin through 1.2.2 is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $post_id on the options.php page.
Severity CVSS v4.0: Pending analysis
Last modification:
30/08/2021

CVE-2021-24547
Publication date:
23/08/2021
The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2021

CVE-2021-24524
Publication date:
23/08/2021
The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24554
Publication date:
23/08/2021
The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24529
Publication date:
23/08/2021
The Grid Gallery – Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24533
Publication date:
23/08/2021
The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2021

CVE-2021-24486
Publication date:
23/08/2021
The Simple Social Media Share Buttons – Social Sharing for Everyone WordPress plugin before 3.2.3 did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2021-24506
Publication date:
23/08/2021
The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection.
Severity CVSS v4.0: Pending analysis
Last modification:
26/08/2021
Subscribe to Vulnerabilities