Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-3896 |
The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is unlikely to work in modern browsers. Published: November 29, 2022; 4:15:11 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-3747 |
The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2. This is due to missing nonce validation when saving the plugin's settings. This makes it possible for unauthenticated attackers to update the plugin's settings like betheme_url_slug, replaced_theme_author, and betheme_label to name a few, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: November 29, 2022; 4:15:11 PM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-3384 |
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server. Published: November 29, 2022; 4:15:11 PM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-3383 |
The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server. Published: November 29, 2022; 4:15:10 PM -0500 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-3361 |
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users. Published: November 29, 2022; 4:15:10 PM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2021-31693 |
The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-46889. NOTE: VMware information, previously connected to this CVE ID because of a typo, is at CVE-2022-31693. Published: November 29, 2022; 4:15:10 PM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-38140 |
Auth. (contributor+) Arbitrary File Upload in SEO Plugin by Squirrly SEO plugin <= 12.1.10 on WordPress. Published: November 28, 2022; 3:15:16 PM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-34654 |
Cross-Site Request Forgery (CSRF) in Virgial Berveling's Manage Notification E-mails plugin <= 1.8.2 on WordPress. Published: November 28, 2022; 3:15:16 PM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-3865 |
The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin Published: November 28, 2022; 9:15:18 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-3850 |
The Find and Replace All WordPress plugin before 1.3 does not have CSRF check when replacing string, which could allow attackers to make a logged admin replace arbitrary string in database tables via a CSRF attack Published: November 28, 2022; 9:15:18 AM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-3849 |
The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin Published: November 28, 2022; 9:15:17 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-3848 |
The WP User Merger WordPress plugin before 1.5.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin Published: November 28, 2022; 9:15:17 AM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-3847 |
The Showing URL in QR Code WordPress plugin through 0.0.1 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin or editor add Stored XSS payloads via a CSRF attack Published: November 28, 2022; 9:15:17 AM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-3839 |
The Analytics for WP WordPress plugin through 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 28, 2022; 9:15:16 AM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3834 |
The Google Forms WordPress plugin through 0.95 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 28, 2022; 9:15:16 AM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3833 |
The Fancier Author Box by ThematoSoup WordPress plugin through 1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 28, 2022; 9:15:15 AM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3831 |
The reCAPTCHA WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 28, 2022; 9:15:15 AM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3828 |
The Video Thumbnails WordPress plugin through 2.12.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 28, 2022; 9:15:15 AM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3824 |
The WP Admin UI Customize WordPress plugin before 1.5.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 28, 2022; 9:15:14 AM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3823 |
The Beautiful Cookie Consent Banner WordPress plugin before 2.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Published: November 28, 2022; 9:15:14 AM -0500 |
V3.1: 4.8 MEDIUM V2.0:(not available) |