Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1564 - Before 1 Plugin
The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2022-1564
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1203 - Before 1 Plugin
The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options
PLUGIN
Before 1
CVE-2022-1203
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0642 - Before 1 Plugin
The JivoChat Live Chat WordPress plugin before 1.3.5.4 does not properly check CSRF tokens on POST requests to the plugins admin page, and does not sanitise some parameters, leading to a stored Cross-Site Scripting vulnerability where an attacker can trick a logged in administrator to inject arbitrary javascript.
PLUGIN
Before 1
CVE-2022-0642
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1547 - Before 1 Plugin
The Check & Log Email WordPress plugin before 1.0.6 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-1547
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1320 - Before 1 Plugin
The Sliderby10Web WordPress plugin before 1.2.52 does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2022-1320
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1409 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code
PLUGIN
Before 1
CVE-2022-1409
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1407 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not have CSRF check in place when adding a tracking campaign, and does not escape the campaign fields when outputting them In attributes. As a result, attackers could make a logged in admin add tracking campaign with XSS payloads in them via a CSRF attack
PLUGIN
Before 1
CVE-2022-1407
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1455 - Before 1 Plugin
The Call Now Button WordPress plugin before 1.1.2 does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled
PLUGIN
Before 1
CVE-2022-1455
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1408 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not escape various settings before outputting them in attributes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2022-1408
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1334 - Before 1 Plugin
The WP YouTube Live WordPress plugin before 1.8.3 does not validate, sanitise and escape various of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2022-1334
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1089 - Before 1 Plugin
The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2022-1089
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0873 - Before 1 Plugin
The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed
PLUGIN
Before 1
CVE-2022-0873
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1013 - Before 1 Plugin
The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.
PLUGIN
Before 1
CVE-2022-1013
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1047 - Before 1 Plugin
The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability.
PLUGIN
Before 1
CVE-2022-1047
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0424 - Before 1 Plugin
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
PLUGIN
Before 1
CVE-2022-0424
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1104 - Before 1 Plugin
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2022-1104
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1282 - Before 1 Plugin
The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.
PLUGIN
Before 1
CVE-2022-1282
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0952 - Before 1 Plugin
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
PLUGIN
Before 1
CVE-2022-0952
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0191 - Before 1 Plugin
The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans
PLUGIN
Before 1
CVE-2022-0191
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1269 - Before 1 Plugin
The Fast Flow WordPress plugin before 1.2.12 does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-1269
Risk Score