Skip to main content
CVE-2021-24186 MEDIUM POC This Month

The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Tutor Lms
NVD WPScan
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-24185 MEDIUM POC This Month

The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Tutor Lms
NVD WPScan
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-24183 MEDIUM POC This Month

The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Tutor Lms
NVD WPScan
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-24182 MEDIUM POC This Month

The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Tutor Lms
NVD WPScan
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-24181 MEDIUM POC This Month

The tutor_mark_answer_as_correct AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Tutor Lms
NVD WPScan
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-24158 MEDIUM POC This Month

Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Orbit Fox
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-24210 MEDIUM POC PATCH This Month

There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress Open Redirect PHP Phastpress
NVD WPScan
CVSS 3.1
6.1
EPSS
3.1%
CVE-2021-24169 MEDIUM POC THREAT This Month

This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Advanced Order Export For Woocommerce
NVD WPScan Exploit-DB
CVSS 3.1
6.1
EPSS
10.3%
CVE-2021-24165 MEDIUM POC This Month

In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Open Redirect Ninja Forms
NVD WPScan
CVSS 3.1
6.1
EPSS
1.6%
CVE-2021-30058 MEDIUM POC This Month

Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Knowage
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-24211 MEDIUM POC This Month

The WordPress Related Posts plugin through 3.6.4 contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wordpress Related Posts
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24208 MEDIUM POC PATCH This Month

The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS Wp Page Builder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24206 MEDIUM POC This Month

In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Website Builder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24205 MEDIUM POC This Month

In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Website Builder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24204 MEDIUM POC This Month

In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Website Builder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24203 MEDIUM POC This Month

In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Website Builder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24202 MEDIUM POC This Month

In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Website Builder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24201 MEDIUM POC This Month

In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Website Builder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24196 MEDIUM POC This Month

The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Social Slider Widget
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24187 MEDIUM POC This Month

The setting page of the SEO Redirection Plugin - 301 Redirect Manager WordPress plugin before 6.4 is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Seo Redirection
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24180 MEDIUM POC This Month

Unvalidated input and lack of output encoding within the Related Posts for WordPress plugin before 2.0.4 lead to a Reflected Cross-Site Scripting (XSS) vulnerability within the 'lang' GET parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Related Posts
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24177 MEDIUM POC PATCH This Month

In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP File Manager
NVD WPScan
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-24176 MEDIUM POC This Month

The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Jh 404 Logger
NVD WPScan
CVSS 3.1
5.4
EPSS
2.0%
CVE-2021-24168 MEDIUM POC This Month

The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Easy Contact Form Pro
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24166 MEDIUM POC This Month

The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form - The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Ninja Forms
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-24157 MEDIUM POC This Month

Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Orbit Fox
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24156 MEDIUM POC This Month

Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users (Contributor) to inject arbitrary JavaScript code or HTML without approval. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation XSS Testimonial Rotator
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24153 MEDIUM POC This Month

A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Yoast Seo
NVD WPScan
CVSS 3.1
5.4
EPSS
1.1%
CVE-2021-30056 MEDIUM POC This Month

Knowage Suite before 7.4 is vulnerable to reflected cross-site scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Knowage
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-30057 MEDIUM POC This Month

A stored HTML injection vulnerability exists in Knowage Suite version 7.1. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Knowage
NVD GitHub
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24207 MEDIUM POC This Month

By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Wp Page Builder
NVD WPScan
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-24164 MEDIUM POC This Month

In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Ninja Forms
NVD WPScan
CVSS 3.1
4.3
EPSS
0.9%
CVE-2021-30109 MEDIUM This Month

Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Froala Editor
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-24173 MEDIUM This Month

The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress XSS Vm Backups
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-24152 MEDIUM This Month

The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Popup Builder
NVD WPScan
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-24154 MEDIUM This Month

The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Path Traversal Information Disclosure Theme Editor
NVD WPScan
CVSS 3.1
4.9
EPSS
1.1%
CVE-2021-24172 MEDIUM This Month

The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current . Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress Vm Backups
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy