Skip to main content
CVE-2021-34635 MEDIUM POC This Month

The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the ~/admin/partials/settings/poll-maker-settings.php file which allows attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Poll Maker
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-37216 MEDIUM POC This Month

QSAN Storage Manager header page parameters does not filter special characters. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Xn8024R Firmware Xn8008T Firmware
NVD
CVSS 3.1
6.1
EPSS
3.2%
CVE-2021-24504 MEDIUM POC This Month

The WP LMS - Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Wp Learn Manager
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24498 MEDIUM POC This Month

The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Calendar Event Multi View
NVD WPScan
CVSS 3.1
6.1
EPSS
3.1%
CVE-2021-24496 MEDIUM POC This Month

The Community Events WordPress plugin before 1.4.8 does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Community Events
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24488 MEDIUM POC THREAT This Month

The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Post Grid
NVD WPScan Exploit-DB
CVSS 3.1
6.1
EPSS
11.2%
CVE-2021-24477 MEDIUM POC This Month

The Migrate Users WordPress plugin through 1.0.1 does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Migrate Users
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-22552 MEDIUM POC PATCH This Month

An untrusted memory read vulnerability in Asylo versions up to 0.6.1 allows an untrusted attacker to pass a syscall number in MessageReader that is then used by sysno() and can bypass validation. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Google Asylo
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-24503 MEDIUM POC This Month

The Popular Brand Icons - Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Popular Brand Icons Simple Icons
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24478 MEDIUM POC This Month

The Bookshelf WordPress plugin through 2.0.4 does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Bookshelf
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24476 MEDIUM POC This Month

The Steam Group Viewer WordPress plugin through 2.1 does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Steam Group Viewer
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24473 MEDIUM POC This Month

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass User Profile Picture
NVD WPScan
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-24468 MEDIUM POC This Month

The Leaflet Map WordPress plugin before 3.0.0 does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Leaflet Map
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24464 MEDIUM POC This Month

The YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before 2.3.9 did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Youtube Embed Playlist And Popup
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24455 MEDIUM POC This Month

The Tutor LMS - eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress XSS Tutor Lms
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24443 MEDIUM POC This Month

The About Me widget of the Youzify - BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Youzify
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-3351 MEDIUM POC This Month

OpenPLC runtime V3 through 2016-03-14 allows stored XSS via the Device Name to the web server's Add New Device page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openplc
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-33197 MEDIUM POC PATCH This Month

In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Go
NVD
CVSS 3.1
5.3
EPSS
2.3%
CVE-2021-24481 MEDIUM POC This Month

The Any Hostname WordPress plugin through 1.0.6 does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Any Hostname
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24480 MEDIUM POC This Month

The Event Geek WordPress plugin through 2.5.2 does not sanitise or escape its "Use your own " setting before outputting it in the page, leading to an authenticated (admin+) stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Event Geek
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24479 MEDIUM POC This Month

The DrawBlog WordPress plugin through 0.90 does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Drawblog
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24450 MEDIUM POC This Month

The User Registration, User Profiles, Login & Membership - ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Profilepress
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24448 MEDIUM POC This Month

The User Registration & User Profile - Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Profile Builder
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24444 MEDIUM POC This Month

The TaxoPress - Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Taxopress
NVD WPScan Exploit-DB
CVSS 3.1
4.8
EPSS
2.3%
CVE-2021-24425 MEDIUM POC This Month

The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme - myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Mystickymenu
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-22397 MEDIUM This Month

There is a privilege escalation vulnerability in Huawei ManageOne 8.0.0. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Huawei Privilege Escalation Manageone
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2021-32812 MEDIUM PATCH This Month

Monkshu is an enterprise application server for mobile apps (iOS and Android), responsive HTML 5 apps, and JSON API services. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Google Apple XSS Monkshu
NVD GitHub
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-32019 MEDIUM This Month

There is missing input validation of host names displayed in OpenWrt before 19.07.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Openwrt
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-29979 MEDIUM This Month

Hubs Cloud allows users to download shared content, specifically HTML and JS, which could allow javascript execution in the Hub Cloud instance’s primary hosting domain.*. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Hubs Cloud
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-32806 MEDIUM PATCH This Month

Products.isurlinportal is a replacement for isURLInPortal method in Plone. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Isurlinportal
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-24474 MEDIUM This Month

The Awesome Weather Widget WordPress plugin through 3.0.2 does not sanitize the id parameter of its awesome_weather_refresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Awesome Weather Widget
NVD WPScan
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-27499 MEDIUM This Month

Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application layer encryption of the. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Mylife Mylife Cloud
NVD
CVSS 3.1
5.9
EPSS
0.5%
CVE-2021-34556 MEDIUM PATCH This Month

In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Linux Information Disclosure Linux Kernel Fedora Debian Linux
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2021-35477 MEDIUM PATCH This Month

In the Linux kernel through 5.13.7, an unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Linux Information Disclosure Linux Kernel Debian Linux Fedora
NVD
CVSS 3.1
5.5
EPSS
0.5%
CVE-2021-24470 MEDIUM This Month

The Yada Wiki WordPress plugin before 3.4.1 did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Yada Wiki
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-20541 MEDIUM PATCH This Month

IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Cloud Pak For Security
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2021-20540 MEDIUM PATCH This Month

IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Cloud Pak For Security
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2021-20539 MEDIUM PATCH This Month

IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could disclose sensitive information to an unauthorized user through HTTP GET requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Cloud Pak For Security
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2021-29697 MEDIUM This Month

IBM Cloud Pak for Security (CP4S) 1.5.0.0, 1.5.1.0, 1.6.0.0, 1.6.1.0, 1.7.0.0, and 1.7.1.0 could allow a remote authenticated attacker to obtain sensitive information through HTTP requests that could. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Information Disclosure Cloud Pak For Security
NVD
CVSS 3.1
4.9
EPSS
1.4%
CVE-2021-27503 MEDIUM This Month

Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application encrypts on the application layer. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Mylife Mylife Cloud
NVD
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24428 MEDIUM This Month

The RSS for Yandex Turbo WordPress plugin through 1.30 does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Yandex Turbo
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2021-22398 MEDIUM This Month

There is a logic error vulnerability in several smartphones. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Hulk Al00C Firmware Jennifer An00C Firmware Jenny Al10B Firmware Oxfordpl An10B Firmware
NVD
CVSS 3.1
4.6
EPSS
0.2%
CVE-2021-20332 MEDIUM PATCH This Month

Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Rust Driver
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2021-32787 MEDIUM PATCH This Month

Sourcegraph is a code search and navigation engine. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Sourcegraph
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2021-34574 MEDIUM This Month

In MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2 an authenticated attacker can change the password of his account into a new. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24 Myrex24 Myrex24 Virtual
NVD
CVSS 3.1
4.3
EPSS
0.7%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy