Skip to main content
CVE-2021-24872 MEDIUM POC This Month

The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Get Custom Field Values
NVD WPScan
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-24845 MEDIUM POC This Month

The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Improved Include Page
NVD WPScan
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-24795 MEDIUM POC This Month

The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Filter Portfolio Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-24784 MEDIUM POC This Month

The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wp Admin Logo Changer
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-24955 MEDIUM POC PATCH This Month

The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress XSS User Registration Login Form User Profile Membership
NVD WPScan
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-24954 MEDIUM POC PATCH This Month

The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

WordPress XSS User Registration Login Form User Profile Membership
NVD WPScan
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-24932 MEDIUM POC This Month

The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Auto Featured Image
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24925 MEDIUM POC This Month

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Modern Events Calendar Lite
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-24792 MEDIUM POC This Month

The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Shiny Buttons
NVD WPScan
CVSS 3.1
6.1
EPSS
1.2%
CVE-2021-24756 MEDIUM POC This Month

The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp System Log
NVD WPScan
CVSS 3.1
6.1
EPSS
1.3%
CVE-2021-24871 MEDIUM POC This Month

The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Get Custom Field Values
NVD WPScan
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-24855 MEDIUM POC This Month

The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Display Post Metadata
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-24817 MEDIUM POC This Month

The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Ultimate Nofollow
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-44155 MEDIUM POC PATCH This Month

An issue was discovered in /goform/login_process in Reprise RLM 14.2. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Reprise License Manager
NVD
CVSS 3.1
5.3
EPSS
1.8%
CVE-2021-44848 MEDIUM POC THREAT This Month

In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Thinfinity Virtualui
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
23.1%
CVE-2021-40858 MEDIUM POC This Month

Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Disclosure. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Compact 5500R Ip Firmware Compact 5200R Ip Firmware Compact 5000R Ip Firmware Compact 4000 Ip Firmware +6
NVD
CVSS 3.1
4.9
EPSS
2.4%
CVE-2021-24972 MEDIUM POC This Month

The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Pixel Cat
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24896 MEDIUM POC This Month

The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Caldera Forms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24782 MEDIUM POC This Month

The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Flex Local Fonts
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24771 MEDIUM POC This Month

The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Inspirational Quote Rotator
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-24705 MEDIUM POC This Month

The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress XSS Nex Forms
NVD WPScan
CVSS 3.1
4.8
EPSS
0.3%
CVE-2021-24859 MEDIUM POC This Month

The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass User Meta Shortcodes
NVD WPScan
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-24836 MEDIUM POC This Month

The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Temporary Login Without Password
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2021-24819 MEDIUM POC This Month

The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Page Post Content Shortcode
NVD WPScan
CVSS 3.1
4.3
EPSS
0.8%
CVE-2021-24818 MEDIUM POC This Month

The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Wp Limits
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2021-24790 MEDIUM POC This Month

The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress PHP Authentication Bypass Contact Form Advanced Database
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2021-24780 MEDIUM POC This Month

The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Single Post Exporter
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2021-43823 MEDIUM PATCH This Month

Sourcegraph is a code search and navigation engine. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Sourcegraph
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2021-40007 MEDIUM This Month

There is an information leak vulnerability in eCNS280_TD V100R005C10SPC650. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Ecns280 Td Firmware
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2021-39940 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2021-39939 MEDIUM This Month

An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Docker Denial Of Service Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-39938 MEDIUM This Month

A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-39933 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Gitlab
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-39917 MEDIUM This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
1.3%
CVE-2021-20867 MEDIUM This Month

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-20866 MEDIUM This Month

Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Advanced Custom Fields
NVD
CVSS 3.1
6.5
EPSS
1.7%
CVE-2021-43817 MEDIUM This Month

Collabora Online is a collaborative online office suite based on LibreOffice technology. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft XSS Online
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-42549 MEDIUM This Month

Insufficient Input Validation in the search functionality of Wordpress plugin Lets-Box prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Lets Box
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-42548 MEDIUM This Month

Insufficient Input Validation in the search functionality of Wordpress plugin Share-one-Drive prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Share One Drive
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-42547 MEDIUM This Month

Insufficient Input Validation in the search functionality of Wordpress plugin Out-of-the-Box prior to 1.20.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Out Of The Box
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-42546 MEDIUM This Month

Insufficient Input Validation in the search functionality of Wordpress plugin Use-Your-Drive prior to 1.18.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Use Your Drive
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-36169 MEDIUM This Month

A Hidden Functionality in Fortinet FortiOS 7.x before 7.0.1, FortiOS 6.4.x before 6.4.7 allows attacker to Execute unauthorized code or commands via specific hex read/write operations. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Fortinet Authentication Bypass Fortios
NVD
CVSS 3.1
6.0
EPSS
0.2%
CVE-2021-39048 MEDIUM PATCH This Month

IBM Spectrum Protect Client 7.1 and 8.1 is vulnerable to a stack based buffer overflow, caused by improper bounds checking. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Buffer Overflow Denial Of Service IBM Memory Corruption Spectrum Protect Backup Archive Client +1
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2021-38901 MEDIUM PATCH This Month

IBM Spectrum Protect Operations Center 7.1, under special configurations, could allow a local user to obtain highly sensitive information. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Spectrum Protect Operations Center
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-39054 MEDIUM PATCH This Month

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to hijack the clicking action of the victim. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

IBM XSS Spectrum Copy Data Management
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-39941 MEDIUM This Month

An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-39915 MEDIUM This Month

Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2021-39919 MEDIUM This Month

In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2021-39936 MEDIUM This Month

Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
1.0%
CVE-2021-39934 MEDIUM This Month

Improper access control allows any project member to retrieve the service desk email address in GitLab CE/EE versions starting 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.9%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy