Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2022-2172 |
The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. Published: August 22, 2022; 11:15:14 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-25812 |
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE Published: August 22, 2022; 11:15:14 AM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-25811 |
The Transposh WordPress Translation WordPress plugin through 1.0.8 does not sanitise and escape the order and orderby parameters before using them in a SQL statement, leading to a SQL injection Published: August 22, 2022; 11:15:14 AM -0400 |
V3.1: 7.2 HIGH V2.0:(not available) |
CVE-2022-25810 |
The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations. Published: August 22, 2022; 11:15:14 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-1932 |
The Rezgo Online Booking WordPress plugin before 4.1.8 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting, which can be exploited either via a LFI in an AJAX action, or direct call to the affected file Published: August 22, 2022; 11:15:13 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-1322 |
The Coming Soon - Under Construction WordPress plugin through 1.1.9 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed Published: August 22, 2022; 11:15:13 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-1251 |
The Ask me WordPress theme before 6.8.4 does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request. Published: August 22, 2022; 11:15:13 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-0446 |
The Simple Banner WordPress plugin before 2.12.0 does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Published: August 22, 2022; 11:15:13 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2021-36857 |
Authenticated (editor+) Stored Cross-Site Scripting (XSS) vulnerability in wpshopmart Testimonial Builder plugin <= 1.6.1 at WordPress. Published: August 22, 2022; 11:15:13 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2021-36852 |
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress. Published: August 22, 2022; 11:15:13 AM -0400 |
V3.1: 8.0 HIGH V2.0:(not available) |
CVE-2021-36847 |
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WebbaPlugins Webba Booking plugin <= 4.2.21 at WordPress. Published: August 22, 2022; 11:15:13 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2021-24912 |
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin Published: August 22, 2022; 11:15:12 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2021-24911 |
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting. Published: August 22, 2022; 11:15:12 AM -0400 |
V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2021-24910 |
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue Published: August 22, 2022; 11:15:12 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2022-2846 |
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. Published: August 16, 2022; 3:15:09 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2022-2535 |
The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink Published: August 15, 2022; 7:21:28 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2022-2384 |
The Digital Publications by Supsystic WordPress plugin before 1.7.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Published: August 15, 2022; 7:21:24 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2022-2381 |
The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack Published: August 15, 2022; 7:21:23 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2022-2379 |
The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc Published: August 15, 2022; 7:21:23 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2022-2378 |
The Easy Student Results WordPress plugin through 2.2.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting Published: August 15, 2022; 7:21:22 AM -0400 |
V3.1: 6.1 MEDIUM V2.0:(not available) |