Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-41996 |
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions <= 7.8.1 on WordPress leading to arbitrary plugin installation/activation. Published: October 27, 2022; 1:15:10 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-3395 |
The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well. Published: October 25, 2022; 1:15:57 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-3394 |
The WP All Export Pro WordPress plugin before 1.7.9 does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be delegated to lower privileged users. Published: October 25, 2022; 1:15:57 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-3393 |
The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection Published: October 25, 2022; 1:15:57 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2022-3392 |
The WP Humans.txt WordPress plugin through 1.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: October 25, 2022; 1:15:57 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3391 |
The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: October 25, 2022; 1:15:57 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3350 |
The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: October 25, 2022; 1:15:57 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3335 |
The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. Published: October 25, 2022; 1:15:57 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-3302 |
The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.185.1 does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin Published: October 25, 2022; 1:15:56 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-3300 |
The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin Published: October 25, 2022; 1:15:56 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-3247 |
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks Published: October 25, 2022; 1:15:56 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-3246 |
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers Published: October 25, 2022; 1:15:56 PM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-3097 |
The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections. Published: October 25, 2022; 1:15:56 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-2762 |
The AdminPad WordPress plugin before 2.2 does not have CSRF check when updating admin's note, allowing attackers to make a logged in admin update their notes via a CSRF attack Published: October 25, 2022; 1:15:52 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-41638 |
Auth. Stored Cross-Site Scripting (XSS) in Pop-Up Chop Chop plugin <= 2.1.7 on WordPress. Published: October 21, 2022; 12:15:11 PM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2022-40311 |
Auth. (admin+) Stored Cross-Site Scripting (XSS) in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress. Published: October 21, 2022; 12:15:11 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-38104 |
Auth. WordPress Options Change (siteurl, users_can_register, default_role, admin_email and new_admin_email) vulnerability in Biplob Adhikari's Accordions – Multiple Accordions or FAQs Builder plugin (versions <= 2.0.3 on WordPress. Published: October 21, 2022; 12:15:10 PM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-26375 |
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology AB Press Optimizer plugin <= 1.1.1 on WordPress. Published: October 17, 2022; 2:15:12 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-3282 |
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form. Published: October 17, 2022; 8:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-3244 |
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce Published: October 17, 2022; 8:15:10 AM -0400 |
V3.1: 4.2 MEDIUM V2.0:(not available) |