Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1168 - Before 1 Plugin
There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before 1.5.1.
PLUGIN
Before 1
CVE-2022-1168
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0709 - Before 1 Plugin
The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.
PLUGIN
Before 1
CVE-2022-0709
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0864 - Before 1 Plugin
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape the updraft_interval parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
PLUGIN
Before 1
CVE-2022-0864
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0837 - Before 1 Plugin
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerability to drain out the account balance by keep sending SMS notification.
PLUGIN
Before 1
CVE-2022-0837
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0825 - Before 1 Plugin
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.
PLUGIN
Before 1
CVE-2022-0825
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0680 - Before 1 Plugin
The Plezi WordPress plugin before 1.0.3 has a REST endpoint allowing unauthenticated users to update the plz_configuration_tracker_enable option, which is then displayed in the admin panel without sanitisation and escaping, leading to a Stored Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2022-0680
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0720 - Before 1 Plugin
The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.
PLUGIN
Before 1
CVE-2022-0720
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0595 - Before 1 Plugin
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
PLUGIN
Before 1
CVE-2022-0595
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0739 - Before 1 Plugin
The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection
PLUGIN
Before 1
CVE-2022-0739
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0694 - Before 1 Plugin
The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection
PLUGIN
Before 1
CVE-2022-0694
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0687 - Before 1 Plugin
The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role.
PLUGIN
Before 1
CVE-2022-0687
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0640 - Before 1 Plugin
The Pricing Table Builder WordPress plugin before 1.1.5 does not sanitize and escape the postid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 1
CVE-2022-0640
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0627 - Before 1 Plugin
The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 1
CVE-2022-0627
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0423 - Before 1 Plugin
The 3D FlipBook WordPress plugin before 1.12.1 does not have authorisation and CSRF checks when updating its settings, and does not have any sanitisation/escaping, allowing any authenticated users, such as subscriber to put Cross-Site Scripting payloads in all pages with a 3d flipbook.
PLUGIN
Before 1
CVE-2022-0423
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0616 - Before 1 Plugin
The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack
PLUGIN
Before 1
CVE-2022-0616
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24905 - Before 1 Plugin
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.
PLUGIN
Before 1
CVE-2021-24905
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0593 - Before 1 Plugin
The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation.
PLUGIN
Before 1
CVE-2022-0593
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0648 - Before 1 Plugin
The Team Circle Image Slider With Lightbox WordPress plugin before 1.0.16 does not sanitize and escape the order_pos parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 1
CVE-2022-0648
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0700 - Before 1 Plugin
The Simple Tracking WordPress plugin before 1.7 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2022-0700
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0169 - Before 1 Plugin
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
PLUGIN
Before 1
CVE-2022-0169
Risk Score