Skip to main content
CVE-2021-47978 MEDIUM POC This Month

ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2021-47934 MEDIUM POC This Month

MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2020-37246 MEDIUM POC This Month

Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

LFI Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2020-37241 MEDIUM POC This Month

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Bloofoxcms
NVD Exploit-DB GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2020-37234 MEDIUM POC This Month

Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Internet Download Manager
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2021-47975 MEDIUM POC This Month

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wp Learn Manager
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2021-47981 MEDIUM POC This Month

Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP CSRF
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47957 MEDIUM POC This Month

Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Information Disclosure
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37240 MEDIUM POC This Month

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Queue Management System
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37238 MEDIUM POC This Month

CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Cms Made Simple
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37237 MEDIUM POC This Month

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Composr Cms
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37235 MEDIUM POC This Month

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47955 MEDIUM POC This Month

CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload XSS PHP
NVD Exploit-DB GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37236 MEDIUM POC This Month

NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Newslister
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37233 MEDIUM POC This Month

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-46719 MEDIUM PATCH This Month

Metric injection in Net::Statsd::Lite (Perl) affects all releases before v0.9.0, allowing unauthenticated remote attackers to inject arbitrary statsd metrics by embedding newline, colon, or pipe characters into metric names derived from untrusted input. Because the statsd wire protocol uses these characters as record separators and field delimiters, an unsanitized metric name can smuggle additional forged metrics into the UDP stream transmitted to a statsd daemon, corrupting monitoring and telemetry data. No public exploit code exists at time of analysis and the EPSS score of 0.01% (1st percentile) indicates negligible observed exploitation activity; however, the patch diff makes exploitation trivially constructible by any attacker who can influence metric name values in a vulnerable application.

Code Injection Net
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-8681 MEDIUM This Month

Authorization bypass in Essential Chat Support plugin for WordPress versions ≤1.0.1 allows unauthenticated remote attackers to reset all plugin configuration settings to defaults via a single POST request. The vulnerability stems from missing authorization checks in the settings reset function, enabling tampering with general settings, display rules, custom CSS, and WooCommerce integration without credentials. CVSS 5.3 indicates medium severity with network-accessible exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the attack is trivial given the simple POST parameter requirement.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-4202 MEDIUM This Month

Authorization bypass in Multicollab WordPress plugin allows authenticated attackers with Subscriber-level privileges to inject comments into arbitrary editorial collaborations. This affects all versions up to and including 5.2. While CVSS rates this 4.3 (Low), the ability for low-privileged users to pollute editorial workflows could enable social engineering, misinformation injection into content review processes, or disruption of collaborative editing. EPSS data not provided. No active exploitation confirmed (not in CISA KEV). Patch available in version 3519252 per WordPress plugin repository changeset.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy