Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1916 - Before 1 Plugin
The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store WordPress plugin before 1.0.5 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected cross-Site Scripting
PLUGIN
Before 1
CVE-2022-1916
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1994 - Before 1 Plugin
The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2022-1994
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1327 - Before 1 Plugin
The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2022-1327
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1845 - Before 1 Plugin
The WP Post Styling WordPress plugin before 1.3.1 does not have CSRF checks in various actions, which could allow attackers to make a logged in admin delete plugin's data, update the settings, add new entries and more via CSRF attacks
PLUGIN
Before 1
CVE-2022-1845
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1010 - Before 1 Plugin
The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-1010
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0875 - Before 1 Plugin
The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks
PLUGIN
Before 1
CVE-2022-0875
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1939 - Before 1 Plugin
The Allow svg files WordPress plugin before 1.1 does not properly validate uploaded files, which could allow high privilege users such as admin to upload PHP files even when they are not allowed to
PLUGIN
Before 1
CVE-2022-1939
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1945 - Before 1 Plugin
The Coming Soon & Maintenance Mode by Colorlib WordPress plugin before 1.0.99 does not sanitize and escape some settings, allowing high privilege users such as admin to perform Stored Cross-Site Scripting when unfiltered_html is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-1945
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1896 - Before 1 Plugin
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-1896
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1895 - Before 1 Plugin
The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack
PLUGIN
Before 1
CVE-2022-1895
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1472 - Before 1 Plugin
The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection
PLUGIN
Before 1
CVE-2022-1472
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25121 - Before 1 Plugin
The Rating by BestWebSoft WordPress plugin before 1.6 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating
PLUGIN
Before 1
CVE-2021-25121
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1266 - Before 1 Plugin
The Post Grid, Slider & Carousel Ultimate WordPress plugin before 1.5.0 does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-1266
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25104 - Before 1 Plugin
The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2021-25104
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2022-0209 - Before 1 Plugin
The Mitsol Social Post Feed WordPress plugin before 1.11 does not escape some of its settings before outputting them back in attributes, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2022-0209
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1800 - Before 1 Plugin
The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.
PLUGIN
Before 1
CVE-2022-1800
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1777 - Before 1 Plugin
The Filr WordPress plugin before 1.2.2.1 does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload arbitrary HTML files as well as delete all files or arbitrary ones.
PLUGIN
Before 1
CVE-2022-1777
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1762 - Before 1 Plugin
The iQ Block Country WordPress plugin before 1.2.20 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.
PLUGIN
Before 1
CVE-2022-1762
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1604 - Before 1 Plugin
The MailerLite WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-1604
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1710 - Before 1 Plugin
The Appointment Hour Booking WordPress plugin before 1.3.56 does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
PLUGIN
Before 1
CVE-2022-1710
Risk Score