CVE-2021-42664

MEDIUM

Engineers Online Portal - Stored Cross-Site Scripting via Quiz Title and Description Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-42664. PoCs published by Alon Leviev, 0xDeku.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Engineers Online Portal 1.0, where malicious JavaScript can be injected via the 'quiz_title' or 'description' parameters in add_quiz.php or edit_quiz.php. The payload is stored and executed when other users access the affected page.

Description

A Stored Cross Site Scripting (XSS) Vulneraibiilty exists in Sourcecodester Engineers Online Portal in PHP via the (1) Quiz title and (2) quiz description parameters to add_quiz.php. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.

Exploits (3)

exploitdb WORKING POC
by Alon Leviev · textwebappsphp
https://www.exploit-db.com/exploits/50451

This exploit demonstrates a stored XSS vulnerability in Engineers Online Portal 1.0, where malicious JavaScript can be injected via the 'quiz_title' or 'description' parameters in add_quiz.php or edit_quiz.php. The payload is stored and executed when other users access the affected page.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Engineers Online Portal 1.0
Auth required
Prerequisites: Access to the add_quiz.php or edit_quiz.php page · Valid session cookie (PHPSESSID)
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by 0xDeku · poc
https://github.com/0xDeku/CVE-2021-42664

This repository provides a technical description and proof-of-concept for CVE-2021-42664, a stored XSS vulnerability in the Engineers online portal system. The vulnerability allows attackers to inject malicious JavaScript via the 'quiz_title' or 'description' parameters in the 'add_quiz.php' page.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Engineers online portal system
Auth required
Prerequisites: Access to the vulnerable 'add_quiz.php' page · Ability to submit a quiz with malicious input
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
inthewild WRITEUP
poc
https://github.com/thehackingrabbi/cve-2021-42664

This repository provides a technical description of CVE-2021-42664, a stored XSS vulnerability in the Engineers online portal system. It includes details on vulnerable components, exploitation steps, and a proof-of-concept payload.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Engineers online portal system
No auth needed
Prerequisites: Access to the vulnerable page 'add_quiz.php'
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (4)

Core 4
Core References
Product, Third Party Advisory x_refsource_misc
https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/164618/Engineers-Online-Portal-1.0-SQL-Injection.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/TheHackingRabbi/CVE-2021-42664
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/50451

Scores

CVSS v3 5.4
EPSS 0.0189
EPSS Percentile 83.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
engineers_online_portal_project/engineers_online_portal 1.0
Published Nov 05, 2021
Tracked Since Feb 18, 2026