Skip to main content
CVE-2023-45540 MEDIUM POC This Month

An issue in Jorani Leave Management System 1.0.3 allows a remote attacker to execute arbitrary HTML code via a crafted script to the comment field of the List of Leave requests page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Leave Management System
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-45689 MEDIUM POC This Month

Lack of sufficient path validation in South River Technologies' Titan MFT and Titan SFTP servers on Windows and Linux allows an authenticated attacker with administrative privileges to read any file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Microsoft Titan Mft Server Titan Sftp Server
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-40791 MEDIUM POC PATCH This Month

extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.12 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page. Rated medium severity (CVSS 6.3). Public exploit code available.

Information Disclosure Linux Linux Kernel H300s Firmware H500s Firmware +2
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2023-45542 MEDIUM POC This Month

Cross Site Scripting vulnerability in mooSocial 3.1.8 allows a remote attacker to obtain sensitive information via a crafted script to the q parameter in the Search function. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Moosocial
NVD GitHub
CVSS 3.1
6.1
EPSS
1.6%
CVE-2023-4950 MEDIUM POC This Month

The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Funnelforms
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-4819 MEDIUM POC This Month

The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Shared Files
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-4687 MEDIUM POC This Month

The Page Builder: Pagelayer WordPress plugin before 1.7.7 doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Pagelayer
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-4290 MEDIUM POC This Month

The WP Matterport Shortcode WordPress plugin before 2.1.7 does not escape the PHP_SELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Matterport Shortcode
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-4620 MEDIUM POC This Month

The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Booking Calendar
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-5595 MEDIUM POC PATCH This Month

Denial of Service in GitHub repository gpac/gpac prior to 2.3.0-DEV. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Gpac
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2023-40851 MEDIUM POC This Month

Cross Site Scripting (XSS) vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to run arbitrary code via fname, lname, email, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS User Registration Login And User Management System With Admin Panel
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-5167 MEDIUM POC This Month

The User Activity Log Pro WordPress plugin before 2.3.4 does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS User Activity Log
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-5087 MEDIUM POC This Month

The Page Builder: Pagelayer WordPress plugin before 1.7.8 doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Pagelayer
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-5057 MEDIUM POC This Month

The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Activitypub
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4821 MEDIUM POC This Month

The Drag and Drop Multiple File Upload for WooCommerce WordPress plugin before 1.1.1 does not filter all potentially dangerous file extensions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress Drag And Drop Multiple File Uploader
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4820 MEDIUM POC This Month

The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.0.12 does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Powerpress
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4811 MEDIUM POC This Month

The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress XSS Wordpress File Upload
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4805 MEDIUM POC This Month

The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Tutor Lms
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4798 MEDIUM POC This Month

The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS User Avatar Reloaded
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4795 MEDIUM POC This Month

The Testimonial Slider Shortcode WordPress plugin before 1.1.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Testimonial Slider Shortcode
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4783 MEDIUM POC This Month

The Magee Shortcodes WordPress plugin through 2.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Magee Shortcodes
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4646 MEDIUM POC This Month

The Simple Posts Ticker WordPress plugin before 1.1.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Posts Ticker
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-4289 MEDIUM POC This Month

The WP Matterport Shortcode WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Matterport Shortcode
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-3746 MEDIUM POC This Month

The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Activitypub
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-5561 MEDIUM POC This Month

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Oracle WordPress Information Disclosure
NVD WPScan
CVSS 3.1
5.3
EPSS
3.9%
CVE-2023-5177 MEDIUM POC This Month

The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Vrm360
NVD WPScan
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-5089 MEDIUM POC This Month

The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Defender Security
NVD WPScan
CVSS 3.1
5.3
EPSS
2.2%
CVE-2023-4933 MEDIUM POC This Month

The WP Job Openings WordPress plugin before 3.4.3 does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure WordPress Wp Job Openings
NVD WPScan
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-3279 MEDIUM POC This Month

The WordPress Gallery Plugin WordPress plugin before 3.39 does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Nextgen Gallery
NVD WPScan
CVSS 3.1
4.9
EPSS
0.8%
CVE-2023-45690 MEDIUM POC This Month

Default file permissions on South River Technologies' Titan MFT and Titan SFTP servers on Linux allows a user that's authentication to the OS to read sensitive files on the filesystem. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Titan Ftp Server Titan Mft Server
NVD
CVSS 3.1
4.9
EPSS
1.5%
CVE-2023-4862 MEDIUM POC This Month

The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Filester
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-4725 MEDIUM POC This Month

The Simple Posts Ticker WordPress plugin before 1.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Posts Ticker
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-4388 MEDIUM POC This Month

The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Eventon
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-45150 MEDIUM POC PATCH This Month

Nextcloud calendar is a calendar app for the Nextcloud server platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Denial Of Service Nextcloud Calendar
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-3707 MEDIUM POC This Month

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Activitypub
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-3706 MEDIUM POC This Month

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Activitypub
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-45688 MEDIUM POC This Month

Lack of sufficient path validation in South River Technologies' Titan MFT and Titan SFTP servers on Linux allows an authenticated attacker to get the size of an arbitrary file on the filesystem using. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Titan Mft Server Titan Sftp Server
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2023-21414 MEDIUM This Month

NCC Group has found a flaw during the annual internal penetration test ordered by Axis Communications. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow Axis Os
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2023-4800 MEDIUM This Month

The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed logins to low privileged users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress Dologin Security
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-29484 MEDIUM PATCH This Month

In Terminalfour before 8.3.16, misconfigured LDAP users are able to login with an invalid password. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Terminalfour
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-5575 MEDIUM This Month

Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a low privileged user to access entries via a specific. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Devolutions Server
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-43666 MEDIUM PATCH This Month

Insufficient Verification of Data Authenticity vulnerability in Apache InLong.4.0 through 1.8.0, General user can view all user data like Admin account. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Inlong
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-5591 MEDIUM PATCH This Month

SQL Injection in GitHub repository librenms/librenms prior to 23.10.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi Librenms
NVD GitHub
CVSS 3.1
6.5
EPSS
22.2%
CVE-2023-43658 MEDIUM PATCH This Month

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Discourse Calendar
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-45683 MEDIUM PATCH This Month

github.com/crewjam/saml is a saml library for the go language. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Saml
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-45757 MEDIUM This Month

Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Brpc
NVD
CVSS 3.1
6.1
EPSS
1.0%
CVE-2023-5421 MEDIUM This Month

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Otrs
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2023-45807 MEDIUM PATCH This Month

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Opensearch
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-43659 MEDIUM This Month

Discourse is an open source platform for community discussion. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-46066 MEDIUM This Month

Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Mediabay Wordpress Media Library Folders
NVD
CVSS 3.1
5.4
EPSS
0.3%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy