Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-13
CVE-2022-2574 - Before 1 Plugin
The Meks Easy Social Share WordPress plugin before 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-2574
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3154 - Before 1 Plugin
The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license
PLUGIN
Before 1
CVE-2022-3154
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3137 - Before 1 Plugin
The Taskbuilder WordPress plugin before 1.0.8 does not validate and sanitise task's attachments, which could allow any authenticated user (such as subscriber) creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file
PLUGIN
Before 1
CVE-2022-3137
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3220 - Before 1 Plugin
The Advanced Comment Form WordPress plugin before 1.2.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-3220
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3136 - Before 1 Plugin
The Social Rocket WordPress plugin before 1.3.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-3136
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3132 - Before 1 Plugin
The Goolytics WordPress plugin before 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-3132
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2022-2404 - Before 1 Plugin
The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-2404
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2022-2405 - Before 1 Plugin
The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup
PLUGIN
Before 1
CVE-2022-2405
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2710 - Before 1 Plugin
The Scroll To Top WordPress plugin before 1.4.1 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-2710
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2567 - Before 1 Plugin
The Form Builder CP WordPress plugin before 1.2.32 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-2567
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1580 - Before 1 Plugin
The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature.
PLUGIN
Before 1
CVE-2022-1580
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2887 - Before 1 Plugin
The WP Server Health Stats WordPress plugin before 1.7.0 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-2887
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2022-2913 - Before 1 Plugin
The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen.
PLUGIN
Before 1
CVE-2022-2913
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1194 - Before 1 Plugin
The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.
PLUGIN
Before 1
CVE-2022-1194
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2575 - Before 1 Plugin
The WBW Currency Switcher for WooCommerce WordPress plugin before 1.6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-2575
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2775 - Before 1 Plugin
The Fast Flow WordPress plugin before 1.2.13 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-2775
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2559 - Before 1 Plugin
The Fluent Support WordPress plugin before 1.5.8 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection vulnerability exploitable by high privilege users
PLUGIN
Before 1
CVE-2022-2559
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2538 - Before 1 Plugin
The WP Hide & Security Enhancer WordPress plugin before 1.8 does not escape a parameter before outputting it back in an attribute of a backend page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-2538
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2373 - Before 1 Plugin
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address
PLUGIN
Before 1
CVE-2022-2373
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2374 - Before 1 Plugin
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-2374
Risk Score