U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 5,714 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2022-43468

External initialization of trusted variables or data stores vulnerability exists in WordPress Popular Posts 6.0.5 and earlier, therefore the vulnerable product accepts untrusted external inputs to update certain internal variables. As a result, the number of views for an article may be manipulated through a crafted input.

Published: December 06, 2022; 11:15:10 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2022-42699

Auth. Remote Code Execution vulnerability in Easy WP SMTP plugin <= 1.5.1 on WordPress.

Published: December 06, 2022; 6:15:10 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-45833

Auth. Path Traversal vulnerability in Easy WP SMTP plugin <= 1.5.1 on WordPress.

Published: December 06, 2022; 5:15:10 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-45829

Auth. Path Traversal vulnerability in Easy WP SMTP plugin <= 1.5.1 at WordPress.

Published: December 06, 2022; 5:15:10 PM -0500
V3.1: 8.1 HIGH
V2.0:(not available)
CVE-2022-45816

Auth. Stored Cross-Site Scripting (XSS) vulnerability in GD bbPress Attachments plugin <= 4.3.1 on WordPress.

Published: December 06, 2022; 5:15:10 PM -0500
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-45848

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 13.1.0.9 on WordPress.

Published: December 06, 2022; 4:15:10 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-45359

Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.

Published: December 06, 2022; 4:15:10 PM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2022-42888

Unauth. Privilege Escalation vulnerability in ARMember premium plugin <= 5.5.1 on WordPress.

Published: December 06, 2022; 4:15:10 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2022-40209

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Xylus Themes WP Smart Import plugin <= 1.0.2 on WordPress.

Published: December 06, 2022; 10:15:15 AM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-3926

The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-3909

The Add Comments WordPress plugin through 1.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-3907

The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-3892

The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.2 does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-3858

The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin.

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2022-3856

The Comic Book Management System WordPress plugin before 2.2.0 does not sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2022-3846

The Workreap WordPress theme before 2.6.3 has a vulnerability with the notifications feature as it's possible to read any user's notification (employer or freelancer) as the notification ID is brute-forceable.

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-3838

The WPUpper Share Buttons WordPress plugin through 3.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-3837

The Uji Countdown WordPress plugin through 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-3830

The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2022-3694

The Syncee WordPress plugin before 1.0.10 leaks the administrator token that can be used to take over the administrator's account.

Published: December 05, 2022; 12:15:10 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)