U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 8,315 matching records.
Displaying matches 2,841 through 2,860.
Vuln ID Summary CVSS Severity
CVE-2022-4545

The Sitemap WordPress plugin before 4.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Published: January 23, 2023; 10:15:15 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-4542

The Compact WP Audio Player WordPress plugin before 1.9.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Published: January 23, 2023; 10:15:15 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-4509

The Content Control WordPress plugin before 1.1.10 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins.

Published: January 23, 2023; 10:15:15 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-4485

The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-4475

The Collapse-O-Matic WordPress plugin before 1.8.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-4474

The Easy Social Feed WordPress plugin before 6.4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-4467

The Search & Filter WordPress plugin before 1.2.16 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-4443

The BruteBank WordPress plugin before 1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-4383

The CBX Petition for WordPress plugin through 1.0.3 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2022-4346

The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2022-4323

The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2022-4307

The پلاگین پرداخت دلخواه WordPress plugin before 2.9.3 does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-4305

The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2022-4303

The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions on login forms.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-4230

The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-4017

The Booster for WooCommerce WordPress plugin before 6.0.1, Booster Plus for WooCommerce WordPress plugin before 6.0.1, Booster Elite for WooCommerce WordPress plugin before 6.0.1 have either flawed CSRF checks or are missing them completely in numerous places, allowing attackers to make logged in users perform unwanted actions via CSRF attacks

Published: January 23, 2023; 10:15:14 AM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-3811

The EU Cookie Law for GDPR/CCPA WordPress plugin through 3.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: January 23, 2023; 10:15:13 AM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-3425

The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Published: January 23, 2023; 10:15:13 AM -0500
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2022-0316

The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordPress theme, club-theme WordPress theme, kingclub-theme WordPress theme, spikes WordPress theme, spikes-black WordPress theme, soundblast WordPress theme, bolster WordPress theme from ChimpStudio and PixFill does not have any authorisation and upload validation in the lang_upload.php file, allowing any unauthenticated attacker to upload arbitrary files to the web server.

Published: January 23, 2023; 10:15:13 AM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2021-24881

The Passster WordPress plugin before 3.5.5.9 does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by the plugin, and access arbitrary posts (such as private) content, by sending a specifically crafted request.

Published: January 23, 2023; 10:15:13 AM -0500
V3.1: 7.5 HIGH
V2.0:(not available)