{"vulnerability": "cve-2021-2463", "sightings": [{"uuid": "a07ee9f0-8a90-40f2-be8c-b3968901de97", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24632", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/640", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01\n\n\u66f4\u65b0\u4e86\uff1aCVE-2021\n\u63cf\u8ff0\uff1aPoC for exploiting CVE-2021-36878 : Cross-Site Request Forgery (CSRF) vulnerability in WordPress uListing plugin (versions <= 2.0.5) makes it possible for attackers to update settings.\nURL\uff1ahttps://github.com/AlAIAL90/CVE-2021-24632", "creation_timestamp": "2021-10-05T10:21:27.000000Z"}, {"uuid": "65ba33b5-a2c1-4ed7-b2a5-d911da9f3d7f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24631", "type": "seen", "source": "https://t.me/cibsecurity/31998", "content": "\u203c CVE-2021-24631 \u203c\n\nThe Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-11-08T20:29:28.000000Z"}, {"uuid": "f9934a68-f619-410e-b2a7-657add65de94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24636", "type": "seen", "source": "https://t.me/cibsecurity/29099", "content": "\u203c CVE-2021-24636 \u203c\n\nThe Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-20T14:27:06.000000Z"}, {"uuid": "64703419-7d0c-47cc-9867-33886d0db38f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24639", "type": "seen", "source": "https://t.me/cibsecurity/29095", "content": "\u203c CVE-2021-24639 \u203c\n\nThe OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-20T14:26:59.000000Z"}, {"uuid": "6cea517b-4318-4e29-b840-648a6e670a94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24638", "type": "seen", "source": "https://t.me/cibsecurity/29086", "content": "\u203c CVE-2021-24638 \u203c\n\nThe OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-20T14:26:48.000000Z"}, {"uuid": "c2a3dad1-28b7-41c5-9fb5-221ee4c75929", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24632", "type": "seen", "source": "https://t.me/cibsecurity/29513", "content": "\u203c CVE-2021-24632 \u203c\n\nThe Recipe Card Blocks by WPZOOM WordPress plugin before 2.8.1 does not escape the message parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-27T20:40:52.000000Z"}, {"uuid": "4cdbdf16-eb39-4551-aa96-cea912301c84", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-24633", "type": "seen", "source": "https://t.me/cibsecurity/29492", "content": "\u203c CVE-2021-24633 \u203c\n\nThe Countdown Block WordPress plugin before 1.1.2 does not have authorisation in the eb_write_block_css AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-27T20:34:48.000000Z"}]}