Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): WordPress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-0949 |
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2022-0920 |
The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2022-0919 |
The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it. Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2022-0914 |
The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and retrieve the list of titles for example Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-0892 |
The Export All URLs WordPress plugin before 4.2 does not sanitise and escape the CSV filename before outputting it back in the page, leading to a Reflected Cross-Site Scripting Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-0840 |
The Easy Social Icons WordPress plugin before 3.2.1 does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed. Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2022-0828 |
The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download. Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2022-0728 |
The Easy Smooth Scroll Links WordPress plugin before 2.23.1 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2022-0531 |
The Migration, Backup, Staging WordPress plugin before 0.9.70 does not sanitise and escape the sub_page parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-0471 |
The Favicon by RealFaviconGenerator WordPress plugin before 1.3.23 does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-0447 |
The Post Grid WordPress plugin before 2.1.16 does not sanitise and escape the post_types parameter before outputting it back in the response of the post_grid_update_taxonomies_terms_by_posttypes AJAX action, available to any authenticated users, leading to a Reflected Cross-Site Scripting Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 6.4 MEDIUM V2.0: 3.5 LOW |
CVE-2022-0314 |
The Nimble Page Builder WordPress plugin before 3.2.2 does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-0271 |
The LearnPress WordPress plugin before 4.1.6 does not sanitise and escape the lp-dismiss-notice before outputting it back via the lp_background_single_email AJAX action, leading to a Reflected Cross-Site Scripting Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-0246 |
The settings of the iQ Block Country WordPress plugin before 1.2.13 can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to "Zip Slip" vulnerability. Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 4.9 MEDIUM V2.0: 4.0 MEDIUM |
CVE-2021-25090 |
The Portfolio Gallery, Product Catalog WordPress plugin before 2.1.0 does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages where a Portfolio is embed Published: April 11, 2022; 11:15:08 AM -0400 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2021-24987 |
The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.30 does not sanitise and escape the urls parameter in its the_champ_sharing_count AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue. Published: April 11, 2022; 11:15:07 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-24986 |
The Post Grid WordPress plugin before 2.1.16 does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form Published: April 11, 2022; 11:15:07 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-1170 |
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. Published: April 04, 2022; 12:15:11 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-1168 |
There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before 1.5.1. Published: April 04, 2022; 12:15:11 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2022-1167 |
There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters. Published: April 04, 2022; 12:15:10 PM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |