LiveActive security incident?Get immediate response
CVE archive

July 2021

Browse CVE records published in July 2021, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 1511 matching CVEs · Page 1 of 31.

Unknown · CVSS Not scored

CVE-2021-42923: ShowMyPC 3606 on Windows suffers from a DLL hijack vulnerability.

ShowMyPC 3606 on Windows suffers from a DLL hijack vulnerability. If an attacker overwrites the file %temp%\ShowMyPC\-ShowMyPC3606\wodVPN.dll, it will run any malicious code contained in that file. The code will run with normal user privileges unless the user specifically runs ShowMyPC as administrator.

Published Jul 17, 2022 · Updated Jul 9, 2026

High · CVSS 7.5

CVE-2021-33012: Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specia...

Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specially crafted commands to cause the PLC to fault when the controller is switched to RUN mode, which results in a denial-of-service condition. If successfully exploited, this vulnerability will cause the controller to fault whenever the controller is switched to RUN mode.

Published Jul 9, 2021 · Updated Jun 3, 2026

Critical · CVSS 10

CVE-2021-41556: sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpr...

sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.

Published Jul 28, 2022 · Updated May 29, 2026

Unknown · CVSS Not scored

CVE-2021-47624: net/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change

In the Linux kernel, the following vulnerability has been resolved: net/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change The refcount leak issues take place in an error handling path. When the 3rd argument buf doesn't match with "offline", "online" or "remove", the function simply returns -EINVAL and forgets to decrease the reference count of a rpc_xprt object and a rpc_xprt_switch object increased by rpc_sysfs_xprt_kobj_get_xprt() and rpc_sysfs_xprt_kobj_get_xprt_switch(), causing reference count leaks of both unused objects. Fix this issue by jumping to the error handling path labelled with out_put when buf matches none of "offline", "online" or "remove".

Published Jul 16, 2024 · Updated May 11, 2026

Unknown · CVSS Not scored

CVE-2021-47623: powerpc/fixmap: Fix VM debug warning on unmap

In the Linux kernel, the following vulnerability has been resolved: powerpc/fixmap: Fix VM debug warning on unmap Unmapping a fixmap entry is done by calling __set_fixmap() with FIXMAP_PAGE_CLEAR as flags. Today, powerpc __set_fixmap() calls map_kernel_page(). map_kernel_page() is not happy when called a second time for the same page. WARNING: CPU: 0 PID: 1 at arch/powerpc/mm/pgtable.c:194 set_pte_at+0xc/0x1e8 CPU: 0 PID: 1 Comm: swapper Not tainted 5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty #682 NIP: c0017cd4 LR: c00187f0 CTR: 00000010 REGS: e1011d50 TRAP: 0700 Not tainted (5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty) MSR: 00029032 <EE,ME,IR,DR,RI> CR: 42000208 XER: 00000000 GPR00: c0165fec e1011e10 c14c0000 c0ee2550 ff800000 c0f3d000 00000000 c001686c GPR08: 00001000 b00045a9 00000001 c0f58460 c0f50000 00000000 c0007e10 00000000 GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 GPR24: 00000000 00000000 c0ee2550 00000000 c0f57000 00000ff8 00000000 ff800000 NIP [c0017cd4] set_pte_at+0xc/0x1e8 LR [c00187f0] map_kernel_page+0x9c/0x100 Call Trace: [e1011e10] [c0736c68] vsnprintf+0x358/0x6c8 (unreliable) [e1011e30] [c0165fec] __set_fixmap+0x30/0x44 [e1011e40] [c0c13bdc] early_iounmap+0x11c/0x170 [e1011e70] [c0c06cb0] ioremap_legacy_serial_console+0x88/0xc0 [e1011e90] [c0c03634] do_one_initcall+0x80/0x178 [e1011ef0] [c0c0385c] kernel_init_freeable+0xb4/0x250 [e1011f20] [c0007e34] kernel_init+0x24/0x140 [e1011f30] [c0016268] ret_from_kernel_thread+0x5c/0x64 Instruction dump: 7fe3fb78 48019689 80010014 7c630034 83e1000c 5463d97e 7c0803a6 38210010 4e800020 81250000 712a0001 41820008 <0fe00000> 9421ffe0 93e1001c 48000030 Implement unmap_kernel_page() which clears an existing pte.

Published Jul 16, 2024 · Updated May 11, 2026

Unknown · CVSS Not scored

CVE-2021-47622: scsi: ufs: Fix a deadlock in the error handler

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: Fix a deadlock in the error handler The following deadlock has been observed on a test setup: - All tags allocated - The SCSI error handler calls ufshcd_eh_host_reset_handler() - ufshcd_eh_host_reset_handler() queues work that calls ufshcd_err_handler() - ufshcd_err_handler() locks up as follows: Workqueue: ufs_eh_wq_0 ufshcd_err_handler.cfi_jt Call trace: __switch_to+0x298/0x5d8 __schedule+0x6cc/0xa94 schedule+0x12c/0x298 blk_mq_get_tag+0x210/0x480 __blk_mq_alloc_request+0x1c8/0x284 blk_get_request+0x74/0x134 ufshcd_exec_dev_cmd+0x68/0x640 ufshcd_verify_dev_init+0x68/0x35c ufshcd_probe_hba+0x12c/0x1cb8 ufshcd_host_reset_and_restore+0x88/0x254 ufshcd_reset_and_restore+0xd0/0x354 ufshcd_err_handler+0x408/0xc58 process_one_work+0x24c/0x66c worker_thread+0x3e8/0xa4c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 Fix this lockup by making ufshcd_exec_dev_cmd() allocate a reserved request.

Published Jul 16, 2024 · Updated May 11, 2026

Medium · CVSS 4.3

CVE-2021-4427: Vuukle Comments, Reactions, Share Bar, Revenue <= 3.4.31 - Cross-Site Request Forgery Bypass

The Vuukle Comments, Reactions, Share Bar, Revenue plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.31. This is due to missing or incorrect nonce validation in the /admin/partials/free-comments-for-wordpress-vuukle-admin-display.php file. This makes it possible for unauthenticated attackers to edit the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4426: Absolute Reviews <= 1.0.8 - Cross-Site Request Forgery Bypass

The Absolute Reviews plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on the metabox_review_save() function. This makes it possible for unauthenticated attackers to save meta tags via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4425: Defender Security <= 2.4.6 - Cross-Site Request Forgery Bypass

The Defender Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.6. This is due to missing or incorrect nonce validation on the verify_otp_login_time() function. This makes it possible for unauthenticated attackers to verify a one time login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4424: Slider Hero <= 8.2.0 - Cross-Site Request Forgery Bypass

The Slider Hero plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.0. This is due to missing or incorrect nonce validation on the qc_slider_hero_duplicate() function. This makes it possible for unauthenticated attackers to duplicate slides via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4423: RAYS Grid <= 1.2.2 - Cross-Site Request Forgery Bypass

The RAYS Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the rsgd_insert_update() function. This makes it possible for unauthenticated attackers to update post fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4422: POST SMTP Mailer <= 2.0.20 - Cross-Site Request Forgery Bypass

The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible for unauthenticated attackers to trigger a CSV export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4421: Advanced Popups <= 1.1.1 - Cross-Site Request Forgery Bypass

The Advanced Popups plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the metabox_popup_save() function. This makes it possible for unauthenticated attackers to save meta tags via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4420: Sell Media <= 2.5.5 - Cross-Site Request Forgery Bypass

The Sell Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.5. This is due to missing or incorrect nonce validation on the sell_media_process() function. This makes it possible for unauthenticated attackers to sell media paypal orders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4419: WP-Backgrounds Lite <= 2.3 - Cross-Site Request Forgery Bypass

The WP-Backgrounds Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the ino_save_data() function. This makes it possible for unauthenticated attackers to save meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 5.4

CVE-2021-4417: Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.13.4 - Cross-Site Request Forgery Bypass

The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4416: wp-mpdf <= 3.5.1 - Cross-Site Request Forgery Bypass

The wp-mpdf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.1. This is due to missing or incorrect nonce validation on the mpdf_admin_savepost() function. This makes it possible for unauthenticated attackers to save post data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4415: Sunshine Photo Cart <= 2.8.28 - Cross-Site Request Forgery Bypass

The Sunshine Photo Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.28 This is due to missing or incorrect nonce validation on the sunshine_products_quicksave_post() function. This makes it possible for unauthenticated attackers to save custom post data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4414: Abandoned Cart Lite for WooCommerce <= 5.8.5 - Cross-Site Request Forgery Bypass

The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.5. This is due to missing or incorrect nonce validation on the wcal_preview_emails() function. This makes it possible for unauthenticated attackers to generate email preview templates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4413: Process Steps Template Designer <= 1.2.1 - Cross-Site Request Forgery Bypass

The Process Steps Template Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save field icons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4412: WP Prayer <= 1.6.5 - Cross-Site Request Forgery Bypass

The WP Prayer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5. This is due to missing or incorrect nonce validation on the save() and export() functions. This makes it possible for unauthenticated attackers to save plugin settings and trigger a data export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4411: WP EasyPay – Square for WordPress <= 3.2.0 - Cross-Site Request Forgery Bypass

The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the wpep_download_transaction_in_excel() function. This makes it possible for unauthenticated attackers to trigger a transactions download via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4410: Qtranslate Slug <= 1.1.18 - Cross-Site Request Forgery Bypass

The Qtranslate Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.18. This is due to missing or incorrect nonce validation on the save_postdata() function. This makes it possible for unauthenticated attackers to save post data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4409: WooCommerce Etsy Integration <= 3.3.1 - Cross-Site Request Forgery Bypass

The WooCommerce Etsy Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the etcpf_delete_feed() function. This makes it possible for unauthenticated attackers to delete an export feed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4408: DW Question & Answer <= 1.5.8 - Cross-Site Request Forgery Bypass

The DW Question & Answer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.8. This is due to missing or incorrect nonce validation on the update_answer() function. This makes it possible for unauthenticated attackers to update answers to questions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4407: Custom Banners <= 3.2.2 - Cross-Site Request Forgery Bypass

The Custom Banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.2 This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4405: ElasticPress <= 3.5.3 - Cross-Site Request Forgery Bypass

The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4404: Event Espresso 4 Decaf <= 4.10.11 - Cross-Site Request Forgery Bypass

The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4403: Remove Schema <= 1.5 - Cross-Site Request Forgery Bypass

The Remove Schema plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the validate() function. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4402: Multiple Roles <= 1.3.1- Cross-Site Request Forgery Bypass

The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the mu_add_roles_in_signup_meta() and mu_add_roles_in_signup_meta_recently() functions. This makes it possible for unauthenticated attackers to add additional roles to users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

High · CVSS 8.8

CVE-2021-4401: Style Kits <= 1.8.0 - Cross-Site Request Forgery Bypass

The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update style kits for posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4400: Better Search <= 2.5.2 - Cross-Site Request Forgery Bypass

The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the bsearch_process_settings_import() and bsearch_process_settings_export() functions. This makes it possible for unauthenticated attackers to import and export settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 5.9

CVE-2021-4458: Modern Events Calendar Lite <= 6.3.0 - Unauthenticated SQL Injection

The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled.

Published Jul 12, 2025 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4399: Edwiser Bridge <= 2.0.6 - Cross-Site Request Forgery Bypass

The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synchronization_initiater(), course_synchronization_initiater(), users_link_to_moodle_synchronization(), connection_test_initiater(), admin_menus(), and subscribe_handler() function. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4398: Amministrazione Trasparente <= 7.1 - Cross-Site Request Forgery Bypass

The Amministrazione Trasparente plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.1. This is due to missing or incorrect nonce validation on the at_save_aturl_meta() function. This makes it possible for unauthenticated attackers to update meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4388: Opal Estate <= 1.6.11 - Missing Authorization

The Opal Estate plugin for WordPress is vulnerable to featured property modifications in versions up to, and including, 1.6.11. This is due to missing capability checks on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4397: Staff Directory Plugin <= 3.6 - Cross-Site Request Forgery Bypass

The Staff Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026

Medium · CVSS 4.3

CVE-2021-4396: Rucy <= 0.4.4 - Cross-Site Request Forgery Bypass

The Rucy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.4.4. This is due to missing or incorrect nonce validation on the save_rc_post_meta() function. This makes it possible for unauthenticated attackers to save post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Jul 1, 2023 · Updated Apr 8, 2026