May 14, 2021 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • Chamilo: public exploit or PoC linked (RCE)
  • WordPress plugin RCE/exploit activity: 2 CVEs flagged today.
  • 7 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Active exploit activity

CVE-2021-31933 Chamilo RCE

  • Public exploit or PoC available
  • Exploit activity linked
  • Remote code execution exposure

Chamilo RCE now has public exploit or PoC linkage — assume opportunistic scanning and targeted follow-on activity.

Critical exposure

CVE-2020-23691 YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php.

  • CVSS 9.8
  • Remote code execution exposure

New critical Yfcmf RCE (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2021-24285 Cars-seller-auto-classifieds-script Project Cars-seller-auto-classifieds-script SQL Injection

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical Cars-seller-auto-classifieds-script Project Cars-seller-auto-classifieds-script SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

CVE-2021-31933 Exploit

A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file u...

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2020-18166 CVSS 9.8

Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extens...

CVE-2020-23691 CVSS 9.8

YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php.

CVE-2021-24284 CVSS 9.8

The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX ac...

CVE-2021-24285 CVSS 9.8

The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenti...

CVE-2021-25941 CVSS 9.8

Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may...

CVE-2021-25943 CVSS 9.8

Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6.3 allows an attacker to cause a denial of service and may lead to r...

CVE-2021-3402 CVSS 9.1

An integer overflow and several buffer overflow reads in libyara/modules/macho/macho.c in YARA v4.0.3 and earlier could allow an attacker...

View critical disclosures

cvelogic Threat Intelligence