Skip to main content
CVE-2021-20136 CRITICAL POC THREAT Act Now

ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Zoho Authentication Bypass Manageengine Log360
NVD
CVSS 3.1
9.8
EPSS
10.5%
CVE-2021-26740 CRITICAL POC Act Now

Arbitrary file upload vulnerability sysupload.php in millken doyocms 2.3 allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Doyocms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-26739 CRITICAL POC Act Now

SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows attackers to execute arbitrary code, via the attribute parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP RCE Doyocms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-24809 HIGH POC PATCH This Week

The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF WordPress Better Messages
NVD WPScan
CVSS 3.1
8.8
EPSS
0.7%
CVE-2021-24717 HIGH POC This Week

The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Privilege Escalation Authentication Bypass Automatorwp
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-40348 HIGH POC PATCH This Week

Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Tomcat RCE Code Injection Uyuni Spacewalk
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2021-42694 HIGH POC This Week

An issue was discovered in the character definitions of the Unicode Specification through 14.0. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Code Injection Unicode
NVD
CVSS 3.1
8.3
EPSS
4.5%
CVE-2021-42574 HIGH POC THREAT This Week

An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

RCE Code Injection Unicode Fedora Starwind Virtual San
NVD
CVSS 3.1
8.3
EPSS
12.2%
CVE-2021-39341 HIGH POC THREAT This Week

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Information Disclosure Authentication Bypass Optinmonster
NVD
CVSS 3.1
8.2
EPSS
23.3%
CVE-2021-39333 HIGH POC This Week

The Hashthemes Demo Importer Plugin <= 1.1.1 for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control, allowing them to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Hashthemes Demo Importer
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2021-25874 HIGH POC This Week

AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior is affected by a SQL Injection SQL injection in the catName parameter which allows a remote unauthenticated attacker to retrieve databases. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Youphptube
NVD VulDB
CVSS 3.1
7.5
EPSS
1.9%
CVE-2021-25877 HIGH POC This Week

AVideo/YouPHPTube 10.0 and prior is affected by Insecure file write. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Youphptube
NVD VulDB
CVSS 3.1
7.2
EPSS
3.1%
CVE-2021-42557 HIGH POC This Week

In Jeedom through 4.1.19, a bug allows a remote attacker to bypass API access and retrieve users credentials. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Jeedom
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2021-24770 MEDIUM POC This Month

The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Stylish Price List
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-24742 MEDIUM POC This Month

The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Logo Slider And Showcase
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-25878 MEDIUM POC This Month

AVideo/YouPHPTube 10.0 and prior is affected by multiple reflected Cross Script Scripting vulnerabilities via the videoName parameter which allows a remote attacker to steal administrators' session. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Youphptube
NVD VulDB
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-25876 MEDIUM POC This Month

AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the u parameter which allows a remote attacker to steal administrators' session cookies or perform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Youphptube
NVD VulDB
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-25875 MEDIUM POC This Month

AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the searchPhrase parameter which allows a remote attacker to steal administrators'. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Youphptube
NVD VulDB
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-38356 MEDIUM POC This Month

The NextScripts: Social Networks Auto-Poster <= 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $_REQUEST['page'] parameter which is echoed out on. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Social Networks Auto Poster
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24808 MEDIUM POC PATCH This Month

The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress XSS Better Messages
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-3705 CRITICAL Act Now

Potential security vulnerabilities have been discovered on a certain HP LaserJet Pro printer that may allow an unauthorized user to reconfigure, reset the device. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass HP Laserjet Pro J8H61A Firmware Laserjet Pro J8H60A Firmware
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-29212 CRITICAL Act Now

A remote unauthenticated directory traversal security vulnerability has been identified in HPE iLO Amplifier Pack versions 1.80, 1.81, 1.90 and 1.95. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Ilo Amplifier Pack
NVD
CVSS 3.1
9.8
EPSS
13.5%
CVE-2021-42917 MEDIUM POC PATCH This Month

Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attackers to cause a denial of service due to improper length of values passed to istream. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Denial Of Service Kodi
NVD GitHub
CVSS 3.1
5.5
EPSS
1.9%
CVE-2021-22564 MEDIUM POC PATCH This Month

For certain valid JPEG XL images with a size slightly larger than an integer number of groups (256x256 pixels) when processing the groups out of order the decoder can perform an out of bounds copy of. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Heap Overflow Libjxl
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2021-24723 MEDIUM POC This Month

The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Reactions Lite
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24716 MEDIUM POC This Month

The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Modern Events Calendar Lite
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24685 MEDIUM POC This Month

The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Flat Preloader
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-24682 MEDIUM POC This Month

The Cool Tag Cloud WordPress plugin before 2.26 does not escape the style attribute of the cool_tag_cloud shortcode, which could allow users with a role as low as Contributor to perform Stored. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Cool Tag Cloud
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24757 MEDIUM POC This Month

The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Stylish Price List
NVD WPScan
CVSS 3.1
5.3
EPSS
1.0%
CVE-2021-41187 HIGH This Week

DHIS 2 is an information system for data capture, management, validation, analytics and visualization. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Dhis 2
NVD GitHub
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-39346 MEDIUM POC PATCH This Month

The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Google WordPress XSS PHP Easy Google Maps
NVD GitHub
CVSS 3.1
4.8
EPSS
0.9%
CVE-2021-39340 MEDIUM POC PATCH This Month

The Notification WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP Notification
NVD GitHub
CVSS 3.1
4.8
EPSS
0.9%
CVE-2021-38847 HIGH This Week

S-Cart v6.4.1 and below was discovered to contain an arbitrary file upload vulnerability in the Editor module on the Admin panel. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload S Cart
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-27644 HIGH PATCH This Week

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Apache Privilege Escalation Dolphinscheduler
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2021-24813 MEDIUM POC PATCH This Month

The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS Events Made Easy
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24794 MEDIUM POC This Month

The Connections Business Directory WordPress plugin before 10.4.3 does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Connections Business Directory
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24793 MEDIUM POC This Month

The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wpematico Rss Feed Fetcher
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24789 MEDIUM POC This Month

The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Flat Preloader
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24773 MEDIUM POC This Month

The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Download Manager
NVD WPScan
CVSS 3.1
4.8
EPSS
2.8%
CVE-2021-24722 MEDIUM POC This Month

The Restaurant Menu by MotoPress WordPress plugin before 2.4.2 does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Restaurant Menu
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24715 MEDIUM POC This Month

The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Sitemap Page
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24624 MEDIUM POC This Month

The MP3 Audio Player for Music, Radio & Podcast by Sonaar WordPress plugin before 2.4.2 does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Mp3 Audio Player For Music Radio Podcast
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24539 MEDIUM POC This Month

The Coming Soon, Under Construction & Maintenance Mode By Dazzler WordPress plugin before 1.6.7 does not sanitise or escape its description setting when outputting it in the frontend when the Coming. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Coming Soon Under Construction Maintenance Mode By Dazzler
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-22563 MEDIUM POC PATCH This Month

Invalid JPEG XL images using libjxl can cause an out of bounds access on a std::vector<std::vector<T>> when rendering splines. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Libjxl
NVD GitHub
CVSS 3.1
4.4
EPSS
0.3%
CVE-2021-24799 MEDIUM POC This Month

The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Far Future Expiry Header
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-24781 MEDIUM POC PATCH This Month

The Image Source Control WordPress plugin before 2.3.1 allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress Authentication Bypass Image Source Control
NVD WPScan
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-24572 MEDIUM POC This Month

The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Accept Donations With Paypal
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-24570 MEDIUM POC PATCH This Month

The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF WordPress XSS Accept Donations With Paypal
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-3440 HIGH This Week

HP Print and Scan Doctor, an application within the HP Smart App for Windows, is potentially vulnerable to local elevation of privilege. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Information Disclosure HP Hp Smart
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-3704 HIGH This Week

Potential security vulnerabilities have been discovered on a certain HP LaserJet Pro printer that may allow a Denial of Service on the device. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service HP Laserjet Pro J8H60A Firmware Laserjet Pro J8H61A Firmware
NVD
CVSS 3.1
7.5
EPSS
1.4%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy