Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-24
CVE-2022-2355 - Before 1 Plugin
The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin
PLUGIN
Before 1
CVE-2022-2355
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1950 - Before 1 Plugin
The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
PLUGIN
Before 1
CVE-2022-1950
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2245 - Before 1 Plugin
The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks
PLUGIN
Before 1
CVE-2022-2245
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2181 - Before 1 Plugin
The Advanced WordPress Reset WordPress plugin before 1.6 does not escape some generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-2181
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2170 - Before 1 Plugin
The Microsoft Advertising Universal Event Tracking (UET) WordPress plugin before 1.0.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Due to the nature of this plugin, well crafted XSS can also leak into the frontpage.
PLUGIN
Before 1
CVE-2022-2170
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0598 - Before 1 Plugin
The Login with phone number WordPress plugin before 1.3.8 does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-0598
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2189 - Before 1 Plugin
The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Before 1
CVE-2022-2189
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2072 - Before 1 Plugin
The Name Directory WordPress plugin before 1.25.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well
PLUGIN
Before 1
CVE-2022-2072
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2071 - Before 1 Plugin
The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them.
PLUGIN
Before 1
CVE-2022-2071
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0899 - Before 1 Plugin
The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 1
CVE-2022-0899
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2186 - Before 1 Plugin
The Simple Post Notes WordPress plugin before 1.7.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-2186
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2169 - Before 1 Plugin
The Loading Page with Loading Screen WordPress plugin before 1.0.83 does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-2169
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2114 - Before 1 Plugin
The Data Tables Generator by Supsystic WordPress plugin before 1.10.20 does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-2114
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2100 - Before 1 Plugin
The Page Generator WordPress plugin before 1.6.5 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-2100
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2022-1952 - Before 1 Plugin
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
PLUGIN
Before 1
CVE-2022-1952
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2093 - Before 1 Plugin
The WP Duplicate Page WordPress plugin before 1.3 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Before 1
CVE-2022-2093
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1957 - Before 1 Plugin
The Comment License WordPress plugin before 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 1
CVE-2022-1957
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1937 - Before 1 Plugin
The Awin Data Feed WordPress plugin before 1.8 does not sanitise and escape a parameter before outputting it back via an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-1937
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1938 - Before 1 Plugin
The Awin Data Feed WordPress plugin before 1.8 does not sanitise and escape a header when processing request to generate analytics data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against a logged in admin viewing the plugin's settings
PLUGIN
Before 1
CVE-2022-1938
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1953 - Before 1 Plugin
The Product Configurator for WooCommerce WordPress plugin before 1.2.32 suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts user input that is being used in a path and passed to unlink() without validation first
PLUGIN
Before 1
CVE-2022-1953
Risk Score