U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): wordpress
  • Search Type: Search All
There are 5,118 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2022-36296

Broken Authentication vulnerability in JumpDEMAND Inc. ActiveDEMAND plugin <= 0.2.27 at WordPress allows unauthenticated post update/create/delete.

Published: August 05, 2022; 12:15:14 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2022-36284

Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page.

Published: August 05, 2022; 12:15:14 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2022-33201

Cross-Site Request Forgery (CSRF) vulnerability in MailerLite – Signup forms (official) plugin <= 1.5.7 at WordPress allows an attacker to change the API key.

Published: August 05, 2022; 12:15:13 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2022-25649

Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress.

Published: August 05, 2022; 12:15:11 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2021-36861

Cross-Site Request Forgery (CSRF) vulnerability in Rich Reviews by Starfish plugin <= 1.9.14 at WordPress allows an attacker to delete reviews.

Published: August 05, 2022; 12:15:10 PM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-36343

Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ideasToCode Enable SVG, WebP & ICO Upload plugin <= 1.0.1 at WordPress.

Published: August 01, 2022; 10:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-34154

Authenticated (author or higher user role) Arbitrary File Upload vulnerability in ideasToCode Enable SVG, WebP & ICO Upload plugin <= 1.0.1 at WordPress.

Published: August 01, 2022; 10:15:09 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-2370

The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them

Published: August 01, 2022; 9:15:11 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-2369

The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin

Published: August 01, 2022; 9:15:11 AM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-2328

The Flexi Quote Rotator WordPress plugin through 0.9.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Published: August 01, 2022; 9:15:11 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-2325

The Invitation Based Registrations WordPress plugin through 2.2.84 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: August 01, 2022; 9:15:11 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-2317

The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter.

Published: August 01, 2022; 9:15:11 AM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2022-2305

The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: August 01, 2022; 9:15:11 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-2278

The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: August 01, 2022; 9:15:11 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-2273

The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request.

Published: August 01, 2022; 9:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-2260

The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU.

Published: August 01, 2022; 9:15:10 AM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-2245

The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

Published: August 01, 2022; 9:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-2241

The Featured Image from URL (FIFU) WordPress plugin before 4.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues

Published: August 01, 2022; 9:15:10 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-2215

The GiveWP WordPress plugin before 2.21.3 does not properly sanitise and escape the currency settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: August 01, 2022; 9:15:10 AM -0400
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-2184

The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server.

Published: August 01, 2022; 9:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0:(not available)