Skip to main content
CVE-2021-24788 MEDIUM POC This Month

The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Batch Cat
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-24783 MEDIUM POC This Month

The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Post Expirator
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-24767 MEDIUM POC This Month

The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Redirect 404 Error Page To Homepage Or Custom Page With Logs
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-24766 MEDIUM POC This Month

The 404 to 301 - Redirect, Log and Notify 404 Errors WordPress plugin before 3.0.9 does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress 404 To 301
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-24721 MEDIUM POC This Month

The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE PHP Code Injection Loco Translate
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-24674 MEDIUM POC This Month

The Genie WP Favicon WordPress plugin through 0.5.2 does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Genie Wp Favicon
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-31601 MEDIUM POC This Month

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vantara Pentaho Vantara Pentaho Business Intelligence Server
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-40261 MEDIUM POC This Month

Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCodester CASAP Automated Enrollment System 1.0 via the (1) user_username and (2) category parameters in save_class.php, the (3). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Casap Automated Enrollment System
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-40260 MEDIUM POC This Month

Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCodester Tailor Management 1.0 via the (1) eid parameter in (a) partedit.php and (b) customeredit.php, the (2) id parameter in (a). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Tailor Management System
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-39420 MEDIUM POC This Month

Multiple Cross Site Scripting (XSS) vulnerabilities exist in VFront 0.99.5 via the (1) s parameter in search_all.php and the (2) msg parameter in add.attach.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Vfront
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-24798 MEDIUM POC This Month

The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Header Images
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24697 MEDIUM POC This Month

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Download Monitor
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-42770 MEDIUM POC This Month

A Cross-site scripting (XSS) vulnerability was discovered in OPNsense before 21.7.4 via the LDAP attribute return in the authentication tester. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opnsense
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2021-42078 MEDIUM POC This Month

PHP Event Calendar through 2021-11-04 allows persistent cross-site scripting (XSS), as demonstrated by the /server/ajax/events_manager.php title parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Php Event Calendar
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-40577 MEDIUM POC This Month

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Enrollment Management System in PHP and PayPal Free Source Code 1.0 in the Add-Users page via the Name parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Enrollment Management System
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
1.6%
CVE-2021-24807 MEDIUM POC This Month

The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Support Board
NVD GitHub WPScan
CVSS 3.1
5.4
EPSS
1.4%
CVE-2021-24840 MEDIUM POC This Month

The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Squaretype
NVD WPScan
CVSS 3.1
5.3
EPSS
1.1%
CVE-2021-24710 MEDIUM POC PATCH This Month

The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS Print O Matic
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24708 MEDIUM POC This Month

The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp All Export
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24706 MEDIUM POC This Month

The Qwizcards - online quizzes and flashcards WordPress plugin before 3.62 does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Qwizcards
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24701 MEDIUM POC This Month

The Quiz Tool Lite WordPress plugin through 2.3.15 does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Quiz Tool Lite
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24664 MEDIUM POC This Month

The School Management System - WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wpschoolpress
NVD WPScan Exploit-DB
CVSS 3.1
4.8
EPSS
2.4%
CVE-2021-24646 MEDIUM POC This Month

The Booking.com Banner Creator WordPress plugin before 1.4.3 does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Booking Com Banner Creator
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24645 MEDIUM POC This Month

The Booking.com Product Helper WordPress plugin before 1.0.2 does not sanitize and escape Product Code when creating Product Shortcode, which could allow high privilege users to perform Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Booking Com Product Helper
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24616 MEDIUM POC PATCH This Month

The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress XSS Addtoany Share Buttons
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24607 MEDIUM POC This Month

The Storefront Footer Text WordPress plugin through 1.0.1 does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Storefront Footer Text
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24594 MEDIUM POC PATCH This Month

The Translate WordPress - Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Google WordPress XSS Google Language Translator
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2021-24832 MEDIUM POC This Month

The WP SEO Redirect 301 WordPress plugin before 2.3.2 does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wp Seo Redirect 301
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2021-24816 MEDIUM POC This Month

The Phoenix Media Rename WordPress plugin before 3.4.4 does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename any uploaded media. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Phoenix Media Rename
NVD WPScan
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-24806 MEDIUM POC This Month

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wpdiscuz
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2021-24801 MEDIUM POC This Month

The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Authentication Bypass Wp Survey Plus
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2021-24698 MEDIUM POC This Month

The Simple Download Monitor WordPress plugin before 3.9.6 allows users with a role as low as Contributor to remove thumbnails from downloads they do not own, even if they cannot normally edit the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Simple Download Monitor
NVD WPScan
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-31600 MEDIUM POC This Month

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure Vantara Pentaho Vantara Pentaho Business Intelligence Server
NVD
CVSS 3.1
4.3
EPSS
1.0%
CVE-2021-29843 MEDIUM This Month

IBM MQ 9.1 LTS, 9.1 CD, 9.2 LTS, and 9.2CD is vulnerable to a denial of service attack caused by an issue processing message properties. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM Denial Of Service Mq Appliance
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-22051 MEDIUM PATCH This Month

Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Authentication Bypass Spring Cloud Gateway
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2021-41733 MEDIUM PATCH This Month

Oppia 3.1.4 does not verify that certain URLs are valid before navigating to them. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Oppia
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-32482 MEDIUM This Month

Cloudera Manager 5.x, 6.x, 7.1.x, 7.2.x, and 7.3.x allows XSS via the path parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cloudera Manager
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-32481 MEDIUM This Month

Cloudera Hue 4.6.0 allows XSS via the type parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Hue
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-29994 MEDIUM This Month

Cloudera Hue 4.6.0 allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Hue
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-29243 MEDIUM This Month

Cloudera Manager 5.x, 6.x, 7.1.x, 7.2.x, and 7.3.x allows XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Cloudera Manager
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-37850 MEDIUM This Month

ESET was made aware of a vulnerability in its consumer and business products for macOS that enables a user logged on to the system to stop the ESET daemon, effectively disabling the protection of the. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Apple Information Disclosure Eset Cyber Security Endpoint Antivirus +1
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-29735 MEDIUM This Month

IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, and 11.3 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS Security Guardium
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-32483 MEDIUM This Month

Cloudera Manager 7.2.4 has Incorrect Access Control, allowing Escalation of Privileges to view the restricted Dashboard. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Cloudera Manager
NVD
CVSS 3.1
5.3
EPSS
0.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy