Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-4545 |
The Sitemap WordPress plugin before 4.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4542 |
The Compact WP Audio Player WordPress plugin before 1.9.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4509 |
The Content Control WordPress plugin before 1.1.10 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4485 |
The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4475 |
The Collapse-O-Matic WordPress plugin before 1.8.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4474 |
The Easy Social Feed WordPress plugin before 6.4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4467 |
The Search & Filter WordPress plugin before 1.2.16 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4443 |
The BruteBank WordPress plugin before 1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-4383 |
The CBX Petition for WordPress plugin through 1.0.3 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-4346 |
The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2022-4323 |
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-4307 |
The پلاگین پرداخت دلخواه WordPress plugin before 2.9.3 does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-4305 |
The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-4303 |
The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions on login forms. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2022-4230 |
The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-4017 |
The Booster for WooCommerce WordPress plugin before 6.0.1, Booster Plus for WooCommerce WordPress plugin before 6.0.1, Booster Elite for WooCommerce WordPress plugin before 6.0.1 have either flawed CSRF checks or are missing them completely in numerous places, allowing attackers to make logged in users perform unwanted actions via CSRF attacks Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-3811 |
The EU Cookie Law for GDPR/CCPA WordPress plugin through 3.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: January 23, 2023; 10:15:13 AM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3425 |
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. Published: January 23, 2023; 10:15:13 AM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-0316 |
The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordPress theme, club-theme WordPress theme, kingclub-theme WordPress theme, spikes WordPress theme, spikes-black WordPress theme, soundblast WordPress theme, bolster WordPress theme from ChimpStudio and PixFill does not have any authorisation and upload validation in the lang_upload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server. Published: January 23, 2023; 10:15:13 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2021-24881 |
The Passster WordPress plugin before 3.5.5.9 does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by the plugin, and access arbitrary posts (such as private) content, by sending a specifically crafted request. Published: January 23, 2023; 10:15:13 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |