Skip to main content
CVE-2021-24145 HIGH POC THREAT Act Now

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP File Upload Modern Events Calendar Lite
NVD WPScan Exploit-DB
CVSS 3.1
7.2
EPSS
88.2%
CVE-2021-24139 CRITICAL POC Act Now

Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi PHP Photo Gallery
NVD WPScan
CVSS 3.1
9.8
EPSS
5.4%
CVE-2021-24149 HIGH POC This Week

Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Modern Events Calendar Lite
NVD WPScan
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-24137 HIGH POC This Week

Unvalidated input in the Blog2Social WordPress plugin, versions before 6.3.1, lead to SQL Injection in the Re-Share Posts feature, allowing authenticated users to inject arbitrary SQL commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Blog2Social
NVD WPScan
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-24132 HIGH POC This Week

The Slider by 10Web WordPress plugin, versions before 1.2.36, in the bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Slider
NVD WPScan
CVSS 3.1
8.8
EPSS
2.6%
CVE-2021-23359 HIGH POC This Week

This affects all versions of package port-killer. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Port Killer
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2021-26236 HIGH POC This Week

FastStone Image Viewer v.<= 7.5 is affected by a Stack-based Buffer Overflow at 0x005BDF49, affecting the CUR file parsing functionality (BITMAPINFOHEADER Structure, 'BitCount' file format field),. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Memory Corruption Image Viewer
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
2.0%
CVE-2021-27358 HIGH POC PATCH THREAT This Week

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Grafana Denial Of Service E Series Performance Analyzer
NVD GitHub
CVSS 3.1
7.5
EPSS
83.0%
CVE-2021-26935 HIGH POC This Week

In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a requests.php?f=search-my-followers SQL Injection vulnerability via the event_id parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Wowonder
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-24146 HIGH POC THREAT This Week

Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Modern Events Calendar Lite
NVD WPScan Exploit-DB
CVSS 3.1
7.5
EPSS
31.0%
CVE-2021-24131 HIGH POC This Week

Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Anti Spam
NVD WPScan
CVSS 3.1
7.2
EPSS
1.4%
CVE-2021-24130 HIGH POC This Week

Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google WordPress SQLi Wp Maps
NVD WPScan
CVSS 3.1
7.2
EPSS
1.4%
CVE-2021-24125 HIGH POC This Week

Unvalidated input in the Contact Form Submissions WordPress plugin before 1.7.1, could lead to SQL injection in the wpcf7_contact_form GET parameter when submitting a filter request as a high. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Contact Form Submissions
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-24123 HIGH POC This Week

Arbitrary file upload in the PowerPress WordPress plugin, versions before 8.3.8, did not verify some of the uploaded feed images (such as the ones from Podcast Artwork section), allowing high. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress File Upload Powerpress
NVD WPScan
CVSS 3.1
7.2
EPSS
1.6%
CVE-2021-28419 HIGH POC THREAT This Week

The "order_col" parameter in archive.php of SEO Panel 4.8.0 is vulnerable to time-based blind SQL injection, which leads to the ability to retrieve all databases. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Seo Panel
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
10.7%
CVE-2021-28160 MEDIUM POC This Month

Wireless-N WiFi Repeater REV 1.0 (28.08.06.1) suffers from a reflected XSS vulnerability due to unsanitized SSID value when the latter is displayed in the /repeater.html page ("Repeater Wizard". Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Acexy Wireless N Wifi Repeater Firmware
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24135 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Customer Reviews
NVD WPScan
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-24124 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Shieldon
NVD WPScan
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-28794 CRITICAL PATCH Act Now

The unofficial ShellCheck extension before 0.13.4 for Visual Studio Code mishandles shellcheck.executablePath. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Shellcheck
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-24148 CRITICAL Act Now

A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Apple Authentication Bypass Mstore Api
NVD WPScan
CVSS 3.1
9.8
EPSS
3.4%
CVE-2021-22848 CRITICAL Act Now

HGiga MailSherlock contains a SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Msr45 Isherlock Antispam Msr45 Isherlock User Ssr45 Isherlock Antispam Ssr45 Isherlock User
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-24138 MEDIUM POC This Month

Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Adrotate
NVD WPScan
CVSS 3.1
5.5
EPSS
1.2%
CVE-2021-21383 MEDIUM POC PATCH This Month

Wiki.js an open-source wiki app built on Node.js. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Node.js XSS Wiki Js
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-24147 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Modern Events Calendar Lite
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24136 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Testimonials Widget
NVD WPScan
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-24129 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress XSS Portfolio Post
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24128 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Team Members
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24127 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress XSS Thirstyaffiliates Affiliate Link Manager
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24126 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress XSS Envira Gallery
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-28681 MEDIUM POC PATCH This Month

Pion WebRTC before 3.0.15 didn't properly tear down the DTLS Connection when certificate verification failed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Webrtc
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2021-24143 HIGH This Week

Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Accesspress Social Icons
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-24134 MEDIUM POC This Month

Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Constant Contact Forms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-21627 HIGH PATCH This Week

A cross-site request forgery (CSRF) vulnerability in Jenkins Libvirt Agents Plugin 1.9.0 and earlier allows attackers to stop hypervisor domains. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Libvirt Agents
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-28420 MEDIUM POC This Month

A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Seo Panel
NVD GitHub Exploit-DB
CVSS 3.1
4.8
EPSS
1.9%
CVE-2021-28418 MEDIUM POC This Month

A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via settings.php and the "category" parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Seo Panel
NVD GitHub Exploit-DB
CVSS 3.1
4.8
EPSS
1.9%
CVE-2021-28417 MEDIUM POC This Month

A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "search_name" parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Seo Panel
NVD GitHub Exploit-DB
CVSS 3.1
4.8
EPSS
1.9%
CVE-2021-20678 HIGH This Week

SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Paid Memberships Pro
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-26216 MEDIUM POC This Month

SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditFolder.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Seeddms
NVD VulDB
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-26215 MEDIUM POC This Month

SeedDMS 5.1.x is affected by cross-site request forgery (CSRF) in out.EditDocument.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Seeddms
NVD VulDB
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-24133 MEDIUM POC This Month

Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Activecampaign
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-22665 HIGH This Week

Rockwell Automation DriveTools SP v5.13 and below and Drives AOP v4.12 and below both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Rockwell Privilege Escalation Drivetools Add On Profiles Drivetools Sp
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2021-28792 HIGH This Week

The unofficial Swift Development Environment extension before 2.12.1 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Swift Development Environment
NVD GitHub
CVSS 3.1
7.8
EPSS
1.7%
CVE-2021-28791 HIGH This Week

The unofficial SwiftFormat extension before 1.3.7 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftformat.path. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Authentication Bypass Swiftformat
NVD GitHub
CVSS 3.1
7.8
EPSS
1.6%
CVE-2021-28790 HIGH This Week

The unofficial SwiftLint extension before 1.4.5 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted swiftlint.path. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Swiftlint
NVD GitHub
CVSS 3.1
7.8
EPSS
1.7%
CVE-2021-28789 HIGH This Week

The unofficial apple/swift-format extension before 1.1.2 for Visual Studio Code allows remote attackers to execute arbitrary code by constructing a malicious workspace with a crafted. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple RCE Apple Swift Format
NVD GitHub
CVSS 3.1
7.8
EPSS
1.7%
CVE-2021-24144 HIGH This Week

Unvalidated input in the Contact Form 7 Database Addon plugin, versions before 1.2.5.6, was prone to a vulnerability that lets remote attackers inject arbitrary formulas into CSV files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection Contact Form 7 Database Addon
NVD WPScan
CVSS 3.1
7.8
EPSS
1.2%
CVE-2021-26237 HIGH This Week

FastStone Image Viewer <= 7.5 is affected by a user mode write access violation at 0x00402d7d, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service RCE Memory Corruption Image Viewer
NVD
CVSS 3.1
7.8
EPSS
2.7%
CVE-2021-26235 HIGH This Week

FastStone Image Viewer <= 7.5 is affected by a user mode write access violation near NULL at 0x005bdfc9, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Null Pointer Dereference RCE Denial Of Service Image Viewer
NVD
CVSS 3.1
7.8
EPSS
1.1%
CVE-2021-26234 HIGH This Week

FastStone Image Viewer <= 7.5 is affected by a user mode write access violation at 0x00402d8a, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service RCE Memory Corruption Image Viewer
NVD
CVSS 3.1
7.8
EPSS
1.1%
CVE-2021-26233 HIGH This Week

FastStone Image Viewer <= 7.5 is affected by a user mode write access violation near NULL at 0x005bdfcb, triggered when a user opens or views a malformed CUR file that is mishandled by FSViewer.exe. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service RCE Memory Corruption Image Viewer
NVD
CVSS 3.1
7.8
EPSS
1.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy