Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): WordPress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-4625 |
The Login Logout Menu WordPress plugin before 1.4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4624 |
The GS Logo Slider WordPress plugin before 3.3.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4576 |
The Easy Bootstrap Shortcode WordPress plugin through 4.5.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4570 |
The Top 10 WordPress plugin before 3.2.3 does not validate and escape some of its Block attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4548 |
The Optimize images ALT Text & names for SEO using AI WordPress plugin before 2.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-4545 |
The Sitemap WordPress plugin before 4.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4542 |
The Compact WP Audio Player WordPress plugin before 1.9.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4509 |
The Content Control WordPress plugin before 1.1.10 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:15 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4485 |
The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4475 |
The Collapse-O-Matic WordPress plugin before 1.8.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4474 |
The Easy Social Feed WordPress plugin before 6.4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4467 |
The Search & Filter WordPress plugin before 1.2.16 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-4443 |
The BruteBank WordPress plugin before 1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-4383 |
The CBX Petition for WordPress plugin through 1.0.3 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-4346 |
The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2022-4323 |
The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-4307 |
The پلاگین پرداخت دلخواه WordPress plugin before 2.9.3 does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-4305 |
The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-4303 |
The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions on login forms. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2022-4230 |
The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well. Published: January 23, 2023; 10:15:14 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |