Skip to main content
CVE-2021-24770 MEDIUM POC This Month

The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Stylish Price List
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-24742 MEDIUM POC This Month

The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Logo Slider And Showcase
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-25878 MEDIUM POC This Month

AVideo/YouPHPTube 10.0 and prior is affected by multiple reflected Cross Script Scripting vulnerabilities via the videoName parameter which allows a remote attacker to steal administrators' session. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Youphptube
NVD VulDB
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-25876 MEDIUM POC This Month

AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the u parameter which allows a remote attacker to steal administrators' session cookies or perform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Youphptube
NVD VulDB
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-25875 MEDIUM POC This Month

AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior has multiple reflected Cross Script Scripting vulnerabilities via the searchPhrase parameter which allows a remote attacker to steal administrators'. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Youphptube
NVD VulDB
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-38356 MEDIUM POC This Month

The NextScripts: Social Networks Auto-Poster <= 4.3.20 WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $_REQUEST['page'] parameter which is echoed out on. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP Social Networks Auto Poster
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24808 MEDIUM POC PATCH This Month

The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress XSS Better Messages
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-42917 MEDIUM POC PATCH This Month

Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attackers to cause a denial of service due to improper length of values passed to istream. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Denial Of Service Kodi
NVD GitHub
CVSS 3.1
5.5
EPSS
1.9%
CVE-2021-22564 MEDIUM POC PATCH This Month

For certain valid JPEG XL images with a size slightly larger than an integer number of groups (256x256 pixels) when processing the groups out of order the decoder can perform an out of bounds copy of. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Heap Overflow Libjxl
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2021-24723 MEDIUM POC This Month

The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Reactions Lite
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24716 MEDIUM POC This Month

The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Modern Events Calendar Lite
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24685 MEDIUM POC This Month

The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Flat Preloader
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-24682 MEDIUM POC This Month

The Cool Tag Cloud WordPress plugin before 2.26 does not escape the style attribute of the cool_tag_cloud shortcode, which could allow users with a role as low as Contributor to perform Stored. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Cool Tag Cloud
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24757 MEDIUM POC This Month

The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Stylish Price List
NVD WPScan
CVSS 3.1
5.3
EPSS
1.0%
CVE-2021-39346 MEDIUM POC PATCH This Month

The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Google WordPress XSS PHP Easy Google Maps
NVD GitHub
CVSS 3.1
4.8
EPSS
0.9%
CVE-2021-39340 MEDIUM POC PATCH This Month

The Notification WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS PHP Notification
NVD GitHub
CVSS 3.1
4.8
EPSS
0.9%
CVE-2021-24813 MEDIUM POC PATCH This Month

The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS Events Made Easy
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24794 MEDIUM POC This Month

The Connections Business Directory WordPress plugin before 10.4.3 does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Connections Business Directory
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24793 MEDIUM POC This Month

The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wpematico Rss Feed Fetcher
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24789 MEDIUM POC This Month

The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Flat Preloader
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24773 MEDIUM POC This Month

The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Download Manager
NVD WPScan
CVSS 3.1
4.8
EPSS
2.8%
CVE-2021-24722 MEDIUM POC This Month

The Restaurant Menu by MotoPress WordPress plugin before 2.4.2 does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Restaurant Menu
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24715 MEDIUM POC This Month

The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Sitemap Page
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24624 MEDIUM POC This Month

The MP3 Audio Player for Music, Radio & Podcast by Sonaar WordPress plugin before 2.4.2 does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Mp3 Audio Player For Music Radio Podcast
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24539 MEDIUM POC This Month

The Coming Soon, Under Construction & Maintenance Mode By Dazzler WordPress plugin before 1.6.7 does not sanitise or escape its description setting when outputting it in the frontend when the Coming. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Coming Soon Under Construction Maintenance Mode By Dazzler
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-22563 MEDIUM POC PATCH This Month

Invalid JPEG XL images using libjxl can cause an out of bounds access on a std::vector<std::vector<T>> when rendering splines. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Libjxl
NVD GitHub
CVSS 3.1
4.4
EPSS
0.3%
CVE-2021-24799 MEDIUM POC This Month

The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Far Future Expiry Header
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-24781 MEDIUM POC PATCH This Month

The Image Source Control WordPress plugin before 2.3.1 allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress Authentication Bypass Image Source Control
NVD WPScan
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-24572 MEDIUM POC This Month

The Accept Donations with PayPal WordPress plugin before 1.3.1 provides a function to create donation buttons which are internally stored as posts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Accept Donations With Paypal
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-24570 MEDIUM POC PATCH This Month

The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF WordPress XSS Accept Donations With Paypal
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-29213 MEDIUM This Month

A potential local bypass of security restrictions vulnerability has been identified in HPE ProLiant DL20 Gen10, HPE ProLiant ML30 Gen10, and HPE ProLiant MicroServer Gen10 Plus server's system ROMs. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Proliant Microserver Gen10 Plus Firmware Proliant Ml30 Gen10 Server Firmware Proliant Dl20 Gen10 Server Firmware
NVD
CVSS 3.1
6.7
EPSS
0.3%
CVE-2021-41973 MEDIUM PATCH This Month

In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Denial Of Service Mina Banking Payments Banking Trade Finance Process Management +6
NVD
CVSS 3.1
6.5
EPSS
4.3%
CVE-2021-20839 MEDIUM PATCH This Month

Office Server Document Converter V7.2MR4 and earlier and V7.1MR7 and earlier allows a remote unauthenticated attacker to conduct an XML External Entity (XXE) attack to cause a denial of service (DoS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Denial Of Service XXE Office Server Document Converter
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-41310 MEDIUM This Month

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Atlassian Jira Software Data Center
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-43058 MEDIUM This Month

An open redirect vulnerability exists in Replicated Classic versions prior to 2.53.1 that could lead to spoofing. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Replicated Classic
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-31848 MEDIUM This Month

Cross site scripting (XSS) vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.7.100 allows a remote attacker to highjack an active DLP ePO administrator session by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Data Loss Prevention Endpoint
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-27004 MEDIUM PATCH This Month

System Manager 9.x versions 9.7 and higher prior to 9.7P16, 9.8P7 and 9.9.1P2 are susceptible to a vulnerability which could allow a local attacker to discover plaintext iSCSI CHAP credentials. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Ontap System Manager
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-41313 MEDIUM This Month

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Atlassian Authentication Bypass Jira Data Center Jira Server
NVD
CVSS 3.1
4.3
EPSS
0.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy