Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1250 - Before 1 Plugin
The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanitise and escape some parameters from the payment confirmation page before outputting them back in the page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2022-1250
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1255 - Before 1 Plugin
The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues
PLUGIN
Before 1
CVE-2022-1255
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25002 - Before 1 Plugin
The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL
PLUGIN
Before 1
CVE-2021-25002
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1391 - Before 1 Plugin
The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.
PLUGIN
Before 1
CVE-2022-1391
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1228 - Before 1 Plugin
The Opensea WordPress plugin before 1.0.3 does not sanitize and escape some of its settings, like its "Referer address" field, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-1228
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1027 - Before 1 Plugin
The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
PLUGIN
Before 1
CVE-2022-1027
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0657 - Before 1 Plugin
The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.
PLUGIN
Before 1
CVE-2022-0657
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-46782 - Before 1 Plugin
The Pricing Table by Supsystic WordPress plugin before 1.9.5 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-46782
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-46781 - Before 1 Plugin
The Coming Soon by Supsystic WordPress plugin before 1.7.6 does not sanitise and escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-46781
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-46780 - Before 1 Plugin
The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2021-46780
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25111 - Before 1 Plugin
The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue
PLUGIN
Before 1
CVE-2021-25111
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1091 - Before 1 Plugin
The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).
PLUGIN
Before 1
CVE-2022-1091
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1037 - Before 1 Plugin
The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs
PLUGIN
Before 1
CVE-2022-1037
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0879 - Before 1 Plugin
The Caldera Forms WordPress plugin before 1.9.7 does not validate and escape the cf-api parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-0879
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1001 - Before 1 Plugin
The WP Downgrade WordPress plugin before 1.2.3 only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2022-1001
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1023 - Before 1 Plugin
The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file
PLUGIN
Before 1
CVE-2022-1023
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1006 - Before 1 Plugin
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks
PLUGIN
Before 1
CVE-2022-1006
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1007 - Before 1 Plugin
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2022-1007
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0471 - Before 1 Plugin
The Favicon by RealFaviconGenerator WordPress plugin before 1.3.23 does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2022-0471
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0246 - Before 1 Plugin
The settings of the iQ Block Country WordPress plugin before 1.2.13 can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to "Zip Slip" vulnerability.
PLUGIN
Before 1
CVE-2022-0246
Risk Score