Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-1580 |
The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature. Published: September 19, 2022; 10:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-29489 |
Cross-Site Request Forgery (CSRF) vulnerability in Sucuri Security plugin <= 1.8.33 at WordPress leading to Event log entry creation. Published: September 16, 2022; 6:15:10 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-2913 |
The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. Published: September 16, 2022; 5:15:11 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-2912 |
The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites (SSRF). Published: September 16, 2022; 5:15:11 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-2887 |
The WP Server Health Stats WordPress plugin before 1.7.0 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Published: September 16, 2022; 5:15:11 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-2877 |
The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers. Published: September 16, 2022; 5:15:11 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2022-2863 |
The Migration, Backup, Staging WordPress plugin before 0.9.76 does not sanitise and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server via a Traversal attack Published: September 16, 2022; 5:15:11 AM -0400 |
V3.1: 4.9 MEDIUM V2.0:(not available) |
CVE-2022-2799 |
The Affiliates Manager WordPress plugin before 2.9.14 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Published: September 16, 2022; 5:15:11 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-2798 |
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 8.0 HIGH V2.0:(not available) |
CVE-2022-2737 |
The WP STAGING WordPress plugin before 2.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-2669 |
The WP Taxonomy Import WordPress plugin through 1.0.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-2655 |
The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-2654 |
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-2635 |
The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-2575 |
The WBW Currency Switcher for WooCommerce WordPress plugin before 1.6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-2351 |
The Post SMTP Mailer/Email Log WordPress plugin before 2.1.4 does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed. Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-1194 |
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability. Published: September 16, 2022; 5:15:10 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-38139 |
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress. Published: September 13, 2022; 10:15:08 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-38135 |
Broken Access Control vulnerability in Dean Oakley's Photospace Gallery plugin <= 2.3.5 at WordPress allows users with subscriber or higher role to change plugin settings. Published: September 12, 2022; 5:15:11 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-40191 |
Authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in Ali Khallad's Contact Form By Mega Forms plugin <= 1.2.4 at WordPress. Published: September 09, 2022; 11:15:15 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |