Skip to main content
CVE-2021-38315 MEDIUM POC This Month

The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Sp Project Document Manager
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34667 MEDIUM POC This Month

The Calendar_plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of `$_SERVER['PHP_SELF']` in the ~/calendar.php file which allows attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Calendar Plugin
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34666 MEDIUM POC This Month

The Add Sidebar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the add parameter in the ~/wp_sidebarMenu.php file which allows attackers to inject arbitrary web scripts, in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Add Sidebar
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-34665 MEDIUM POC This Month

The WP SEO Tags WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the saq_txt_the_filter parameter in the ~/wp-seo-tags.php file which allows attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Wp Seo Tags
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-34664 MEDIUM POC This Month

The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Moova For Woocommerce
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34663 MEDIUM POC This Month

The jQuery Tagline Rotator WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/jquery-tagline-rotator.php file which allows attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Jquery Tagline Rotator
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34659 MEDIUM POC This Month

The Plugmatter Pricing Table Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `email` parameter in the ~/license.php file which allows attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Plugmatter Pricing Table
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34658 MEDIUM POC This Month

The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Simple Popup Newsletter
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34657 MEDIUM POC This Month

The 2TypoFR WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the text function found in the ~/vendor/Org_Heigl/Hyphenator/index.php file which allows attackers to inject arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Typofr
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-34656 MEDIUM POC This Month

The 2Way VideoCalls and Random Chat - HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `vws_notice` function found in the ~/inc/requirements.php file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP 2Way Videocalls And Random Chat
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34655 MEDIUM POC This Month

The WP Songbook WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the url parameter found in the ~/inc/class.ajax.php file which allows attackers to inject arbitrary web scripts,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Wp Songbook
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-34654 MEDIUM POC This Month

The Custom Post Type Relations WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the cptr[name] parameter found in the ~/pages/admin-page.php file which allows attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Custom Post Type Relations
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34653 MEDIUM POC This Month

The WP Fountain WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/wp-fountain.php file which allows attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Wp Fountain
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34652 MEDIUM POC This Month

The Media Usage WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/mmu_admin.php file which allows attackers to inject arbitrary web scripts, in versions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Media Usage
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-34651 MEDIUM POC This Month

The Scribble Maps WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the ~/includes/admin.php file which allows attackers to inject arbitrary web scripts, in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Scribble Maps
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34649 MEDIUM POC This Month

The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `dark` parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Simple Behace Portfolio
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34644 MEDIUM POC This Month

The Multiplayer Games WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/multiplayergames.php file which allows attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Multiplayer Plugin
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-34643 MEDIUM POC This Month

The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Skaut Bazar
NVD
CVSS 3.1
6.1
EPSS
2.4%
CVE-2021-34642 MEDIUM POC This Month

The Smart Email Alerts WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the api_key in the ~/views/settings.php file which allows attackers to inject arbitrary web scripts, in. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Smart Email Alerts
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-38757 MEDIUM POC This Month

Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through contact.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hospital Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-38756 MEDIUM POC This Month

Persistent cross-site scripting (XSS) in Hospital Management System targeted towards web admin through prescribe.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Hospital Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-24536 MEDIUM POC This Month

The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Custom Login Redirect
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-24535 MEDIUM POC This Month

The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Light Messages
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-24466 MEDIUM POC This Month

The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Verse O Matic
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-24411 MEDIUM POC This Month

The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Social Tape
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-24410 MEDIUM POC This Month

The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Telugu Bible Verse Daily
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2021-24362 MEDIUM POC This Month

The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Photo Gallery
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24445 MEDIUM POC This Month

The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS My Site Audit
NVD WPScan
CVSS 3.1
5.5
EPSS
0.7%
CVE-2021-34641 MEDIUM POC This Month

The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Seopress
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-38752 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in Online Catering Reservation System using PHP on Sourcecodester allows an attacker to arbitrarily inject code in the search bar. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Catering Reservation System
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24548 MEDIUM POC This Month

The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Mimetic Books
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24541 MEDIUM POC This Month

The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wonder Pdf Embed
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24540 MEDIUM POC This Month

The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wonder Video Embed
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24538 MEDIUM POC This Month

The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Current Book
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24534 MEDIUM POC This Month

The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Phonetrack Meu Site Manager
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24526 MEDIUM POC This Month

The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Form Maker
NVD WPScan
CVSS 3.1
5.4
EPSS
1.1%
CVE-2021-24512 MEDIUM POC This Month

The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Video Posts Webcam Recorder
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24471 MEDIUM POC This Month

The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Youtube Embed
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-38713 MEDIUM POC This Month

imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Imgurl
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-32822 MEDIUM POC This Month

The npm hbs package is an Express view engine wrapper for Handlebars. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Node.js Information Disclosure Hbs
NVD GitHub
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-22939 MEDIUM POC PATCH THREAT This Month

If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Node.js Authentication Bypass Node Js Graalvm Jd Edwards Enterpriseone Tools +5
NVD
CVSS 3.1
5.3
EPSS
14.7%
CVE-2021-38755 MEDIUM POC This Month

Unauthenticated doctor entry deletion in Hospital Management System in admin-panel1.php. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Hospital Management System
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2021-26086 MEDIUM POC KEV THREAT This Month

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Atlassian Jira Data Center Jira Server
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
100.0%
CVE-2021-24363 MEDIUM POC This Month

The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Photo Gallery
NVD WPScan
CVSS 3.1
4.9
EPSS
1.9%
CVE-2021-24519 MEDIUM POC This Month

The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Car Rental Management System
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24518 MEDIUM POC This Month

The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Notification Bar
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-38751 MEDIUM POC This Month

A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Exponentcms
NVD GitHub
CVSS 3.1
4.3
EPSS
2.5%
CVE-2021-24380 MEDIUM POC This Month

The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Shantz Wordpress Qotd
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2021-21599 MEDIUM PATCH This Month

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.1.x contain an OS command injection vulnerability. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity.

Dell Command Injection Emc Powerscale Onefs
NVD
CVSS 3.1
6.7
EPSS
0.4%
CVE-2021-21595 MEDIUM PATCH This Month

Dell EMC PowerScale OneFS versions 8.2.x - 9.1.1.x contain an improper neutralization of special elements used in an OS command. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Dell Command Injection Emc Powerscale Onefs
NVD
CVSS 3.1
6.7
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy