Skip to main content
CVE-2021-24735 MEDIUM POC This Month

The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Compact Wp Audio Player
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-24675 MEDIUM POC This Month

The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress One User Avatar
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-24642 MEDIUM POC This Month

The Scroll Baner WordPress plugin through 1.0 does not have CSRF check in place when saving its settings, nor perform any sanitisation, escaping or validation on them. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS File Upload Scroll Banner
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-42566 MEDIUM POC This Month

myfactory.FMS before 7.1-912 allows XSS via the Error parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Fms
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
5.8%
CVE-2021-42565 MEDIUM POC This Month

myfactory.FMS before 7.1-912 allows XSS via the UID parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Fms
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
5.8%
CVE-2021-24752 MEDIUM POC This Month

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Authentication Bypass Catch Scroll Progress Bar Catch Sticky Menu +8
NVD WPScan
CVSS 3.1
5.7
EPSS
0.4%
CVE-2021-24760 MEDIUM POC This Month

The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Pdf Viewer Block For Gutenberg
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24743 MEDIUM POC This Month

The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Podcast Subscribe Buttons
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24734 MEDIUM POC This Month

The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Compact Wp Audio Player
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24732 MEDIUM POC This Month

The PDF Flipbook, 3D Flipbook WordPress - DearFlip WordPress plugin before 1.7.10 does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Dearflip
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24672 MEDIUM POC This Month

The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS One User Avatar
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24413 MEDIUM POC This Month

The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Easy Twitter Feed
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24412 MEDIUM POC This Month

The Html5 Audio Player - Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Html5 Audio Player
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24677 MEDIUM POC This Month

The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Find My Blocks
NVD WPScan
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-24740 MEDIUM POC This Month

The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tutor Lms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24736 MEDIUM POC This Month

The Easy Download Manager and File Sharing Plugin with frontend file upload - a better Media Library - Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS File Upload Shared Files
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24702 MEDIUM POC This Month

The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Learnpress
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24622 MEDIUM POC This Month

The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Customer Service Software Support Ticket System
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24612 MEDIUM POC This Month

The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Sociable
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24516 MEDIUM POC This Month

The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Planso Forms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-42055 MEDIUM This Month

ASUSTek ZenBook Pro Due 15 UX582 laptop firmware through 203 has Insecure Permissions that allow attacks by a physically proximate attacker. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Ux582Lr Firmware
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2021-24595 MEDIUM This Month

The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress XSS Wp Cookie Choice
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-42650 MEDIUM PATCH This Month

Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Portainer
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-24617 MEDIUM This Month

The GamePress WordPress plugin through 1.1.0 does not escape the op_edit POST parameter before outputting it back in multiple Game Option pages, leading to Reflected Cross-Site Scripting issues. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Gamepress
NVD WPScan
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-22942 MEDIUM PATCH This Month

A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Rails
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2021-41156 MEDIUM This Month

anuko/timetracker is an, open source time tracking system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Timetracker
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-29878 MEDIUM PATCH This Month

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

IBM XSS Business Automation Workflow
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-32609 MEDIUM PATCH This Month

Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Superset
NVD
CVSS 3.1
5.4
EPSS
1.6%
CVE-2021-24615 MEDIUM This Month

The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress XSS Wechat Reward
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2021-24416 MEDIUM This Month

The StreamCast - Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Streamcast Radio Player
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24415 MEDIUM This Month

The Polo Video Gallery - Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Polo Video Gallery
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-41151 MEDIUM PATCH This Month

Backstage is an open platform for building developer portals. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Backstage
NVD GitHub
CVSS 3.1
4.9
EPSS
1.3%
CVE-2021-36097 MEDIUM This Month

Agents are able to lock the ticket without the "Owner" permission. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Otrs
NVD
CVSS 3.1
4.3
EPSS
0.5%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy