Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-02
CVE-2022-2551 - Before 1 Plugin
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated visitors accessing the main installer endpoint of the plugin, if the installer script has been run once by an administrator, allowing download of the full site backup without authenticating.
PLUGIN
Before 1
CVE-2022-2551
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2544 - Before 1 Plugin
The Ninja Job Board WordPress plugin before 1.3.3 does not protect the directory where it stores uploaded resumes, making it vulnerable to unauthenticated Directory Listing which allows the download of uploaded resumes.
PLUGIN
Before 1
CVE-2022-2544
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2593 - Before 1 Plugin
The Better Search Replace WordPress plugin before 1.4.1 does not properly sanitise and escape table data before inserting it into a SQL query, which could allow high privilege users to perform SQL Injection attacks
PLUGIN
Before 1
CVE-2022-2593
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2392 - Before 1 Plugin
The Lana Downloads Manager WordPress plugin before 1.8.0 is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher.
PLUGIN
Before 1
CVE-2022-2392
Risk Score
Threat Entry
Updated 2026-02-02
CVE-2022-2552 - Before 1 Plugin
The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site.
PLUGIN
Before 1
CVE-2022-2552
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-25812 - Before 1 Plugin
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE
PLUGIN
Before 1
CVE-2022-25812
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2375 - Before 1 Plugin
The WP Sticky Button WordPress plugin before 1.4.1 does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues
PLUGIN
Before 1
CVE-2022-2375
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2312 - Before 1 Plugin
The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting
PLUGIN
Before 1
CVE-2022-2312
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2276 - Before 1 Plugin
The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog
PLUGIN
Before 1
CVE-2022-2276
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2275 - Before 1 Plugin
The WP Edit Menu WordPress plugin before 1.5.0 does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack
PLUGIN
Before 1
CVE-2022-2275
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24910 - Before 1 Plugin
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-24910
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24912 - Before 1 Plugin
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin
PLUGIN
Before 1
CVE-2021-24912
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24911 - Before 1 Plugin
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting.
PLUGIN
Before 1
CVE-2021-24911
Risk Score
Threat Entry
Updated 2025-04-15
CVE-2022-2846 - Before 1 Plugin
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.
PLUGIN
Before 1
CVE-2022-2846
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2535 - Before 1 Plugin
The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink
PLUGIN
Before 1
CVE-2022-2535
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2384 - Before 1 Plugin
The Digital Publications by Supsystic WordPress plugin before 1.7.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-2384
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2116 - Before 1 Plugin
The Contact Form DB WordPress plugin before 1.8.0 does not sanitise and escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-2116
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2395 - Before 1 Plugin
The weForms WordPress plugin before 1.6.14 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-2395
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2269 - Before 1 Plugin
The Website File Changes Monitor WordPress plugin before 1.8.3 does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manage_options capability (by default admins), leading to an SQL injection
PLUGIN
Before 1
CVE-2022-2269
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2356 - Before 1 Plugin
The Frontend File Manager & Sharing WordPress plugin before 1.1.3 does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded.
PLUGIN
Before 1
CVE-2022-2356
Risk Score