Skip to main content
CVE-2021-44966 CRITICAL POC Act Now

SQL injection bypass authentication vulnerability in PHPGURUKUL Employee Record Management System 1.2 via index.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Employee Record Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2021-43117 CRITICAL POC Act Now

fastadmin v1.2.1 is affected by a file upload vulnerability which allows arbitrary code execution through shell access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Fastadmin
NVD GitHub
CVSS 3.1
9.8
EPSS
2.1%
CVE-2021-24951 CRITICAL POC Act Now

The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Learnpress
NVD WPScan
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-24946 CRITICAL POC THREAT Act Now

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Modern Events Calendar Lite
NVD GitHub WPScan Exploit-DB
CVSS 3.1
9.8
EPSS
72.8%
CVE-2021-24863 CRITICAL POC Act Now

The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Stop Bad Bots
NVD WPScan
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-24857 CRITICAL POC Act Now

The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization WordPress PHP Totop Link
NVD WPScan
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-44152 CRITICAL POC PATCH THREAT Act Now

An issue was discovered in Reprise RLM 14.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Reprise License Manager
NVD
CVSS 3.1
9.8
EPSS
58.6%
CVE-2021-44847 CRITICAL POC Act Now

A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Toxcore Fedora
NVD GitHub
CVSS 3.1
9.8
EPSS
4.0%
CVE-2021-24922 CRITICAL POC Act Now

The Pixel Cat WordPress plugin before 2.6.2 does not have CSRF check when saving its settings, and did not sanitise as well as escape some of them, which could allow attacker to make a logged in. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Pixel Cat
NVD WPScan
CVSS 3.1
9.0
EPSS
0.5%
CVE-2021-24848 HIGH POC This Week

The mediamaticAjaxRenameCategory AJAX action of the Mediamatic WordPress plugin before 2.8.1, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Mediamatic
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-40857 HIGH POC This Week

Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation via the passwd=1 substring. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Compact 5500R Ip Firmware Compact 5200R Ip Firmware Compact 5000R Ip Firmware Compact 4000 Ip Firmware +6
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-24945 HIGH POC This Week

The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Information Disclosure Like Button Rating
NVD WPScan
CVSS 3.1
8.0
EPSS
0.6%
CVE-2021-44965 HIGH POC This Week

Directory traversal vulnerability in /admin/includes/* directory for PHPGURUKUL Employee Record Management System 1.2 The attacker can retrieve and download sensitive information from the vulnerable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Employee Record Management System
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2021-40856 HIGH POC THREAT This Week

Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Comfortel 3600 Ip Firmware Comfortel 2600 Ip Firmware Comfortel 1400 Ip Firmware
NVD
CVSS 3.1
7.5
EPSS
51.1%
CVE-2021-24970 HIGH POC This Week

The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal All In One Video Gallery
NVD WPScan
CVSS 3.1
7.2
EPSS
5.9%
CVE-2021-24861 HIGH POC This Week

The Quotes Collection WordPress plugin through 2.5.2 does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Quotes Collection
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2021-24747 HIGH POC PATCH This Week

The SEO Booster WordPress plugin before 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress SQLi Seo Booster
NVD WPScan
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-44154 HIGH POC PATCH This Week

An issue was discovered in Reprise RLM 14.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Buffer Overflow Reprise License Manager
NVD
CVSS 3.1
7.2
EPSS
1.8%
CVE-2021-44153 HIGH POC PATCH This Week

An issue was discovered in Reprise RLM 14.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Microsoft Information Disclosure Reprise License Manager
NVD
CVSS 3.1
7.2
EPSS
2.0%
CVE-2021-24872 MEDIUM POC This Month

The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Get Custom Field Values
NVD WPScan
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-24845 MEDIUM POC This Month

The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Improved Include Page
NVD WPScan
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-24795 MEDIUM POC This Month

The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Filter Portfolio Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-24784 MEDIUM POC This Month

The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wp Admin Logo Changer
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-24955 MEDIUM POC PATCH This Month

The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress XSS User Registration Login Form User Profile Membership
NVD WPScan
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-24954 MEDIUM POC PATCH This Month

The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress XSS User Registration Login Form User Profile Membership
NVD WPScan
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-24932 MEDIUM POC This Month

The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Auto Featured Image
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24925 MEDIUM POC This Month

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Modern Events Calendar Lite
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24792 MEDIUM POC This Month

The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Shiny Buttons
NVD WPScan
CVSS 3.1
6.1
EPSS
1.2%
CVE-2021-24756 MEDIUM POC This Month

The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp System Log
NVD WPScan
CVSS 3.1
6.1
EPSS
1.3%
CVE-2021-24045 CRITICAL PATCH Act Now

A type confusion vulnerability could be triggered when resolving the "typeof" unary operator in Facebook Hermes prior to v0.10.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Access of Resource Using Incompatible Type (Type Confusion) vulnerability could allow attackers to execute arbitrary code by exploiting type confusion in the application.

Memory Corruption Information Disclosure Hermes
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-32024 CRITICAL PATCH Act Now

A remote code execution vulnerability in the BMP image codec of BlackBerry QNX SDP version(s) 6.4 to 7.1 could allow an attacker to potentially execute code in the context of the affected process. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Qnx Software Development Platform
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2021-39065 CRITICAL PATCH Act Now

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the Spectrum. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

IBM Command Injection Spectrum Copy Data Management
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2021-39052 CRITICAL PATCH Act Now

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without authorization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Java Spectrum Copy Data Management
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2021-22279 CRITICAL Act Now

A Missing Authentication vulnerability in RobotWare for the OmniCore robot controller allows an attacker to read and modify files on the robot controller if the attacker has access to the Connected. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Omnicore C30 Firmware
NVD
CVSS 3.1
9.8
EPSS
1.4%
CVE-2021-24871 MEDIUM POC This Month

The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Get Custom Field Values
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24855 MEDIUM POC This Month

The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Display Post Metadata
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24817 MEDIUM POC This Month

The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ultimate Nofollow
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-44155 MEDIUM POC PATCH This Month

An issue was discovered in /goform/login_process in Reprise RLM 14.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Reprise License Manager
NVD
CVSS 3.1
5.3
EPSS
1.8%
CVE-2021-44848 MEDIUM POC THREAT This Month

In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Thinfinity Virtualui
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
23.1%
CVE-2021-39063 CRITICAL PATCH Act Now

IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information due to a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Spectrum Protect Plus
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2021-40858 MEDIUM POC This Month

Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Disclosure. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Compact 5500R Ip Firmware Compact 5200R Ip Firmware Compact 5000R Ip Firmware Compact 4000 Ip Firmware +6
NVD
CVSS 3.1
4.9
EPSS
2.4%
CVE-2021-39937 HIGH This Week

A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Gitlab
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-24972 MEDIUM POC This Month

The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Pixel Cat
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24896 MEDIUM POC This Month

The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Caldera Forms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24782 MEDIUM POC This Month

The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Flex Local Fonts
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24771 MEDIUM POC This Month

The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Inspirational Quote Rotator
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24705 MEDIUM POC This Month

The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Nex Forms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.3%
CVE-2021-24859 MEDIUM POC This Month

The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass User Meta Shortcodes
NVD WPScan
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-24836 MEDIUM POC This Month

The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Temporary Login Without Password
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2021-24819 MEDIUM POC This Month

The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Page Post Content Shortcode
NVD WPScan
CVSS 3.1
4.3
EPSS
0.8%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy