Lucene search
K

88014 matches found

Nuclei
Nuclei
added 7 hours ago23 views

Paid Memberships Pro < 2.6.6 - Cross-Site Scripting

The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting id: CVE-2021-24979 info: name: Paid Memberships Pro 2.6.6 - Cross-Site Scripting author: r3Y3r53 severity:...

6.1CVSS6.4AI score0.01868EPSS
Exploits2References3
Nuclei
Nuclei
added 7 hours ago172 views

ZTE MF971R - Referer authentication bypass

ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click. id: CVE-2021-21745 info: name: ZTE MF971R - Referer authentication bypass...

4.3CVSS6.6AI score0.55709EPSS
Exploits0References4
Nuclei
Nuclei
added 7 hours ago25 views

SCIMono <0.0.19 - Remote Code Execution

SCIMono before 0.0.19 is vulnerable to remote code execution because it is possible for an attacker to inject and execute java expressions and compromise the availability and integrity of the system. id: CVE-2021-21479 info: name: SCIMono 0.0.19 - Remote Code Execution author: dwisiswant0 severit...

9.1CVSS7.8AI score0.09993EPSS
Exploits0References5
Nuclei
Nuclei
added 7 hours ago74 views

Adminer <4.7.9 - Server-Side Request Forgery

Adminer before 4.7.9 is susceptible to server-side request forgery due to exposure of sensitive information in error messages. Users of Adminer versions bundling all drivers, e.g. adminer.php, are affected. An attacker can possibly obtain this information, modify data, and/or execute unauthorized...

7.2CVSS7.4AI score0.90461EPSS
Exploits3References5
Nuclei
Nuclei
added 7 hours ago29 views

Trendnet AC2600 TEW-827DRU 2.08B01 - Admin Password Change

Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicious actor to force change the admin password due to a hidden administrative command. id: CVE-2021-20158 info: name: Trendnet AC2600 TEW-827DRU 2.08B01 - Admin...

9.8CVSS6.7AI score0.4006EPSS
Exploits0References4
Nuclei
Nuclei
added 7 hours ago42 views

Advantech R-SeeNet - Cross-Site Scripting

Advantech R-SeeNet contains a cross-site scripting vulnerability in the devicegraphpage.php script via the deviceid parameter. A specially crafted URL by an attacker can lead to arbitrary JavaScript code execution. id: CVE-2021-21802 info: name: Advantech R-SeeNet - Cross-Site Scripting author:...

9.6CVSS7AI score0.63415EPSS
Exploits2References4
Nuclei
Nuclei
added 7 hours ago54 views

BuddyPress REST API <7.2.1 - Privilege Escalation/Remote Code Execution

WordPress BuddyPress before version 7.2.1 is susceptible to a privilege escalation vulnerability that can be leveraged to perform remote code execution. id: CVE-2021-21389 info: name: BuddyPress REST API 7.2.1 - Privilege Escalation/Remote Code Execution author: lotusdll severity: high descriptio...

9CVSS7.5AI score0.13882EPSS
Exploits2References5
Nuclei
Nuclei
added 7 hours ago33 views

WordPress Kaswara Modern VC Addons <=3.0.1 - Arbitrary File Upload

WordPress Kaswara Modern VC Addons plugin through 3.0.1 is susceptible to an arbitrary file upload. The plugin allows unauthenticated arbitrary file upload via the uploadFontIcon AJAX action, which can be used to obtain code execution. The supplied zipfile is unzipped in the...

9.8CVSS7.8AI score0.4214EPSS
Exploits3References6
Nuclei
Nuclei
added 7 hours ago35 views

WordPress Goto Tour & Travel Theme <2.0 - Cross-Site Scripting

WordPress Goto Tour & Travel theme before 2.0 contains an unauthenticated reflected cross-site scripting vulnerability. It does not sanitize the keywords and startdate GET parameters on its Tour List page. id: CVE-2021-24235 info: name: WordPress Goto Tour & Travel Theme =2.0 to mitigate the XSS...

6.1CVSS6.2AI score0.02927EPSS
Exploits2References5
Nuclei
Nuclei
added 7 hours ago36 views

WordPress Photo Gallery by 10Web <1.5.69 - Cross-Site Scripting

WordPress Photo Gallery by 10Web plugin before 1.5.69 contains multiple reflected cross-site scripting vulnerabilities via the galleryid, tag, albumid and themeid GET parameters passed to the bwgfrontenddata AJAX action, available to both unauthenticated and authenticated users. id: CVE-2021-2429...

6.1CVSS6.3AI score0.1445EPSS
Exploits2References3
Nuclei
Nuclei
added 7 hours ago18 views

Thinfinity Iframe Injection

A vulnerability exists in Thinfinity VirtualUI in a function located in /lab.html reachable which by default could allow IFRAME injection via the "vpath" parameter. id: CVE-2021-45092 info: name: Thinfinity Iframe Injection author: danielmofer severity: critical description: A vulnerability exist...

9.8CVSS6.7AI score0.39973EPSS
Exploits7References5
Nuclei
Nuclei
added 7 hours ago23 views

ehicle Service Management System 1.0 - Cross-Site Scripting

Vehicle Service Management System 1.0 contains a stored cross-site scripting vulnerability via the Category List section in login panel. id: CVE-2021-46071 info: name: ehicle Service Management System 1.0 - Cross-Site Scripting author: TenBird severity: medium description: | Vehicle Service...

4.8CVSS5.6AI score0.02736EPSS
Exploits1References5
Nuclei
Nuclei
added 7 hours ago26 views

Clustering Local File Inclusion

Clustering master branch as of commit 53e663e259bcfc8cdecb56c0bb255bd70bfcaa70 is affected by a directory traversal vulnerability. This attack can cause the disclosure of critical secrets stored anywhere on the system and can significantly aid in getting remote code access. id: CVE-2021-43496 inf...

7.5CVSS7.4AI score0.15689EPSS
Exploits1References5
Nuclei
Nuclei
added 7 hours ago25 views

Prismatic < 2.8 - Cross-Site Scripting

The plugin does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator id: CVE-2021-24409 info: name: Prismatic 2.8 - Cross-Site Scripting author: Harsh...

6.1CVSS6.3AI score0.01793EPSS
Exploits2References2
Nuclei
Nuclei
added 7 hours ago38 views

WordPress Transposh Translation <1.0.8 - Cross-Site Scripting

WordPress Transposh Translation plugin before 1.0.8 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the a parameter via an AJAX action available to both unauthenticated and authenticated users when the curl library is installed before outputting it back in...

6.1CVSS6.6AI score0.01266EPSS
Exploits4References5
Nuclei
Nuclei
added 7 hours ago31 views

WordPress The Plus Addons for Elementor <4.1.12 - Cross-Site Scripting

WordPress The Plus Addons for Elementor plugin before 4.1.12 is susceptible to cross-site scripting. The plugin does not properly sanitize some of its fields in the heplusmorepost AJAX action, which is exploitable by both unauthenticated and authenticated users. An attacker can inject arbitrary...

6.1CVSS5.8AI score0.02483EPSS
Exploits2References5
Nuclei
Nuclei
added 7 hours ago42 views

WordPress Jannah Theme <5.4.4 - Cross-Site Scripting

WordPress Jannah theme before 5.4.4 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the options JSON parameter in its tiegetuserweather AJAX action before outputting it back in the page. id: CVE-2021-24364 info: name: WordPress Jannah Theme 5.4.4 - Cross-Sit...

6.1CVSS6.2AI score0.01975EPSS
Exploits2References5
Nuclei
Nuclei
added 7 hours ago38 views

WordPress SP Project & Document Manager <4.22 - Authenticated Shell Upload

WordPress SP Project & Document Manager plugin before 4.22 is susceptible to authenticated shell upload. The plugin allows users to upload files; however, the plugin attempts to prevent PHP and other similar executable files from being uploaded via checking the file extension. PHP files can still...

8.8CVSS7.2AI score0.52007EPSS
Exploits8References5
Nuclei
Nuclei
added 7 hours ago55 views

WordPress Calendar Event Multi View <1.4.01 - Cross-Site Scripting

WordPress Calendar Event Multi View plugin before 1.4.01 contains an unauthenticated reflected cross-site scripting vulnerability. It does not sanitize or escape the 'start' and 'end' GET parameters before outputting them in the page via php/edit.php. id: CVE-2021-24498 info: name: WordPress...

6.1CVSS6AI score0.03065EPSS
Exploits2References4
Nuclei
Nuclei
added 7 hours ago31 views

WordPress Ocean Extra <1.9.5 - Cross-Site Scripting

WordPress Ocean Extra plugin before 1.9.5 contains a cross-site scripting vulnerability. The plugin does not escape generated links which are then used when the OceanWP theme is active. id: CVE-2021-25104 info: name: WordPress Ocean Extra 1.9.5 - Cross-Site Scripting author: Akincibor severity:...

6.1CVSS6.2AI score0.01355EPSS
Exploits2References5
Rows per page
Query Builder