Skip to main content
CVE-2021-24827 CRITICAL POC PATCH THREAT Act Now

The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress SQLi Asgaros Forum
NVD WPScan
CVSS 3.1
9.8
EPSS
13.3%
CVE-2021-24731 CRITICAL POC Act Now

The Registration Forms - User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Pie Register
NVD WPScan
CVSS 3.1
9.8
EPSS
7.5%
CVE-2021-28024 CRITICAL POC Act Now

Unauthorized system access in the login form in ServiceTonic Helpdesk software version < 9.0.35937 allows attacker to login without using a password. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Servicetonic
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2021-28023 CRITICAL POC Act Now

Arbitrary file upload in Service import feature in ServiceTonic Helpdesk software version < 9.0.35937 allows a malicious user to execute JSP code by uploading a zip that extracts files in relative. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Servicetonic
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2021-42077 CRITICAL POC Act Now

PHP Event Calendar before 2021-09-03 allows SQL injection, as demonstrated by the /server/ajax/user_manager.php username parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Php Event Calendar
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-34684 CRITICAL POC Act Now

Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Vantara Pentaho
NVD
CVSS 3.1
9.8
EPSS
5.8%
CVE-2021-24693 CRITICAL POC Act Now

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Download Monitor
NVD WPScan
CVSS 3.1
9.0
EPSS
1.2%
CVE-2021-24835 HIGH POC This Week

The WCFM - Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-24829 HIGH POC This Week

The Visitor Traffic Real Time Statistics WordPress plugin before 3.9 does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Visitor Traffic Real Time Statistics
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-24669 HIGH POC This Week

The MAZ Loader - Preloader Builder for WordPress plugin before 1.3.3 does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Maz Loader
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-24631 HIGH POC This Week

The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Unlimited Popups
NVD WPScan
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-24630 HIGH POC This Week

The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Schreikasten
NVD WPScan
CVSS 3.1
8.8
EPSS
1.5%
CVE-2021-24626 HIGH POC This Week

The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress SQLi Chameleon Css
NVD WPScan
CVSS 3.1
8.8
EPSS
0.7%
CVE-2021-24575 HIGH POC This Week

The School Management System - WPSchoolPress WordPress plugin before 2.1.10 does not properly sanitize or use prepared statements before using POST variable in SQL queries, leading to SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Wpschoolpress
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-42372 HIGH POC This Week

A shell command injection in the HW Events SNMP community in XoruX LPAR2RRD and STOR2RRD before 7.30 allows authenticated remote attackers to execute arbitrary shell commands as the user running the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Lpar2Rrd Stor2Rrd
NVD GitHub
CVSS 3.1
8.8
EPSS
6.1%
CVE-2021-42072 HIGH POC This Week

An issue was discovered in Barrier before 2.4.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Barrier Fedora
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-31599 HIGH POC This Week

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Vantara Pentaho Vantara Pentaho Business Intelligence Server
NVD
CVSS 3.1
8.8
EPSS
2.3%
CVE-2021-42073 HIGH POC This Week

An issue was discovered in Barrier before 2.4.0. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Session Fixation Barrier
NVD GitHub
CVSS 3.1
8.2
EPSS
1.4%
CVE-2021-41253 HIGH POC PATCH This Week

Zydis is an x86/x86-64 disassembler library. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Buffer Overflow Heap Overflow Zydis
NVD GitHub
CVSS 3.1
8.1
EPSS
1.8%
CVE-2021-24647 HIGH POC This Week

The Registration Forms - User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Pie Register
NVD WPScan
CVSS 3.1
8.1
EPSS
8.4%
CVE-2021-24695 HIGH POC This Week

The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Simple Download Monitor
NVD WPScan
CVSS 3.1
7.5
EPSS
1.6%
CVE-2021-39182 HIGH POC PATCH This Week

EnroCrypt is a Python module for encryption and hashing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Enrocrypt
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2021-28022 HIGH POC This Week

Blind SQL injection in the login form in ServiceTonic Helpdesk software < 9.0.35937 allows attacker to exfiltrate information via specially crafted HQL-compatible time-based SQL queries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Servicetonic
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-42076 HIGH POC This Week

An issue was discovered in Barrier before 2.3.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Barrier
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-42075 HIGH POC This Week

An issue was discovered in Barrier before 2.3.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Barrier
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2021-42074 HIGH POC This Week

An issue was discovered in Barrier before 2.3.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Memory Corruption Information Disclosure Barrier
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-31602 HIGH POC THREAT This Week

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Java Authentication Bypass Vantara Pentaho Vantara Pentaho Business Intelligence Server
NVD
CVSS 3.1
7.5
EPSS
51.7%
CVE-2021-24844 HIGH POC PATCH This Week

The Affiliates Manager WordPress plugin before 2.8.7 does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress SQLi Affiliates Manager
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-24791 HIGH POC This Week

The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Header Footer Code Manager
NVD WPScan
CVSS 3.1
7.2
EPSS
5.1%
CVE-2021-24629 HIGH POC This Week

The Post Content XMLRPC WordPress plugin through 1.0 does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Post Content Xmlrpc
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-24628 HIGH POC This Week

The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Wow Forms
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-24627 HIGH POC This Week

The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi G Auto Hyperlink
NVD WPScan
CVSS 3.1
7.2
EPSS
6.6%
CVE-2021-24625 HIGH POC This Week

The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Spidercatalog
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-24537 HIGH POC This Week

The Similar Posts WordPress plugin through 3.1.5 allow high privilege users to execute arbitrary PHP code in an hardened environment (ie with DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE PHP Code Injection Similar Posts
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-34685 HIGH POC This Week

UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Vantara Pentaho
NVD
CVSS 3.1
7.2
EPSS
2.2%
CVE-2021-24788 MEDIUM POC This Month

The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Batch Cat
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-24783 MEDIUM POC This Month

The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Post Expirator
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-24767 MEDIUM POC This Month

The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Redirect 404 Error Page To Homepage Or Custom Page With Logs
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-24766 MEDIUM POC This Month

The 404 to 301 - Redirect, Log and Notify 404 Errors WordPress plugin before 3.0.9 does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress 404 To 301
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-24721 MEDIUM POC This Month

The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE PHP Code Injection Loco Translate
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-24674 MEDIUM POC This Month

The Genie WP Favicon WordPress plugin through 0.5.2 does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Genie Wp Favicon
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-31601 MEDIUM POC This Month

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vantara Pentaho Vantara Pentaho Business Intelligence Server
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-40261 MEDIUM POC This Month

Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCodester CASAP Automated Enrollment System 1.0 via the (1) user_username and (2) category parameters in save_class.php, the (3). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Casap Automated Enrollment System
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-40260 MEDIUM POC This Month

Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCodester Tailor Management 1.0 via the (1) eid parameter in (a) partedit.php and (b) customeredit.php, the (2) id parameter in (a). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Tailor Management System
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-39420 MEDIUM POC This Month

Multiple Cross Site Scripting (XSS) vulnerabilities exist in VFront 0.99.5 via the (1) s parameter in search_all.php and the (2) msg parameter in add.attach.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Vfront
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-24798 MEDIUM POC This Month

The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Header Images
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24697 MEDIUM POC This Month

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Download Monitor
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-42770 MEDIUM POC This Month

A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opnsense
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2021-42078 MEDIUM POC This Month

PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Php Event Calendar
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-41170 CRITICAL PATCH Act Now

neoan3-apps/template is a neoan3 minimal template engine. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Neoan3 Template
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy