May 14, 2021 Cyber Threat Intelligence
Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Daily summary
- Chamilo: public exploit or PoC linked (RCE)
- WordPress plugin RCE/exploit activity: 2 CVEs flagged today.
- 7 new critical disclosures — review patch status on exposed services.
Top threats today
Three highest-priority changes — analyst brief, not a CVE dump.
Active exploit activity
- Public exploit or PoC available
- Exploit activity linked
- Remote code execution exposure
Chamilo RCE now has public exploit or PoC linkage — assume opportunistic scanning and targeted follow-on activity.
Critical exposure
CVE-2020-23691
YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php.
- CVSS 9.8
- Remote code execution exposure
New critical Yfcmf RCE (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Critical exposure
CVE-2021-24285
Cars-seller-auto-classifieds-script Project Cars-seller-auto-classifieds-script SQL Injection
- CVSS 9.8
- Internet-facing CMS deployments affected
New critical Cars-seller-auto-classifieds-script Project Cars-seller-auto-classifieds-script SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Active exploitation
CISA KEV — confirmed in-the-wild exploitation.
Nothing flagged in this category for this digest.
View KEV additions
Exploit & PoC activity
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file u...
View new exploit links
Exploitation dynamics
Nothing flagged in this category for this digest.
See EPSS increases
New critical disclosures
Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extens...
YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php.
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX ac...
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenti...
Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may...
Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to r...
An integer overflow and several buffer overflow reads in libyara/modules/macho/macho.c in YARA v4.0.3 and earlier could allow an attacker...
View critical disclosures
cvelogic
Threat Intelligence