Sep 28, 2021 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • Cozmoslabs Translatepress: public exploit or PoC linked (XSS)
  • 8 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Active exploit activity

CVE-2021-24274 Supsystic Ultimate Maps XSS

  • Public exploit or PoC available
  • Exploit activity linked
  • Internet-facing CMS deployments affected

WordPress plugin exposure with public exploit material — mass targeting of internet-facing CMS installs is common once PoCs circulate.

Active exploit activity

CVE-2021-24275 Supsystic Popup XSS

  • Public exploit or PoC available
  • Exploit activity linked
  • Internet-facing CMS deployments affected

WordPress plugin exposure with public exploit material — mass targeting of internet-facing CMS installs is common once PoCs circulate.

Critical exposure

CVE-2020-20120 Thinkphp SQL Injection

  • CVSS 9.8

New critical Thinkphp SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

CVE-2021-24610 Exploit

The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings.

CVE-2021-24274 Exploit

The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it...

CVE-2021-24275 Exploit

The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an a...

CVE-2021-24276 Exploit

The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it...

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2020-20120 CVSS 9.8

ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "quer...

CVE-2020-20122 CVSS 9.8

Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php.

CVE-2021-36363 CVSS 9.8

Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.

CVE-2021-36364 CVSS 9.8

Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.

CVE-2021-36365 CVSS 9.8

Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.

CVE-2021-36366 CVSS 9.8

Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.

CVE-2021-38124 CVSS 9.8

Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5.

CVE-2021-38303 CVSS 9.8

A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.

View critical disclosures

cvelogic Threat Intelligence