Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): WordPress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-4628 |
The Easy PayPal Buy Now Button WordPress plugin before 1.7.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: February 13, 2023; 10:15:18 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4580 |
The Twenty20 Image Before-After WordPress plugin through 1.5.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: February 13, 2023; 10:15:18 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4562 |
The Meks Flexible Shortcodes WordPress plugin before 1.3.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: February 13, 2023; 10:15:17 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4551 |
The Rich Table of Contents WordPress plugin before 1.3.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: February 13, 2023; 10:15:17 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4546 |
The Mapwiz WordPress plugin through 1.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. Published: February 13, 2023; 10:15:17 AM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-4512 |
The Better Font Awesome WordPress plugin before 2.0.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Published: February 13, 2023; 10:15:17 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4488 |
The Widgets on Pages WordPress plugin before 1.8.0 does not validate and escape its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: February 13, 2023; 10:15:17 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4473 |
The Widget Shortcode WordPress plugin through 0.3.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: February 13, 2023; 10:15:17 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4471 |
The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: February 13, 2023; 10:15:16 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4458 |
The amr shortcode any widget WordPress plugin through 4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: February 13, 2023; 10:15:16 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4448 |
The GiveWP WordPress plugin before 2.24.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks Published: February 13, 2023; 10:15:16 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4445 |
The FL3R FeelBox WordPress plugin through 8.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. Published: February 13, 2023; 10:15:16 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-3891 |
The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones. Published: February 13, 2023; 10:15:14 AM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2015-10078 |
A vulnerability, which was classified as problematic, has been found in atwellpub Resend Welcome Email Plugin 1.0.1 on WordPress. This issue affects the function send_welcome_email_url of the file resend-welcome-email.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. The identifier of the patch is b14c1f66d307783f0ae74f88088a85999107695c. It is recommended to upgrade the affected component. The identifier VDB-220637 was assigned to this vulnerability. Published: February 12, 2023; 9:15:10 AM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-3568 |
The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. Published: February 09, 2023; 7:15:10 PM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-41620 |
Cross-Site Request Forgery (CSRF) vulnerability in SeoSamba for WordPress Webmasters plugin <= 1.0.5 versions. Published: February 08, 2023; 9:15:09 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-2094 |
The Yellow Yard Searchbar WordPress plugin before 2.8.2 does not escape some URL parameters before outputting them back to the user, leading to Reflected Cross-Site Scripting Published: February 08, 2023; 5:15:09 AM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2023-0726 |
The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_edit_folder function. This makes it possible for unauthenticated attackers to invoke this function via forged request granted they can trick a site administrator into performing an action such as clicking on a link leading them to perform actions intended for administrators such as changing the folder structure maintained by the plugin. Published: February 07, 2023; 9:15:08 PM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-0725 |
The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_clone_folder function. This makes it possible for unauthenticated attackers to invoke this function via forged request granted they can trick a site administrator into performing an action such as clicking on a link leading them to perform actions intended for administrators such as changing the folder structure maintained by the plugin. Published: February 07, 2023; 9:15:08 PM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-0724 |
The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_add_folder function. This makes it possible for unauthenticated attackers to invoke this function via forged request granted they can trick a site administrator into performing an action such as clicking on a link leading them to perform actions intended for administrators such as changing the folder structure maintained by the plugin. Published: February 07, 2023; 9:15:08 PM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |