Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-0399 - Before 1 Plugin
The Advanced Product Labels for WooCommerce WordPress plugin before 1.2.3.7 does not sanitise and escape the tax_color_set_type parameter before outputting it back in the berocket_apl_color_listener AJAX action's response, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-0399
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0327 - Before 1 Plugin
The Master Addons for Elementor WordPress plugin before 1.8.5 does not sanitise and escape the error_message parameter before outputting it back in the response of the jltma_restrict_content AJAX action, available to unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-0327
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0248 - Before 1 Plugin
The Contact Form Submissions WordPress plugin before 1.7.3 does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission
PLUGIN
Before 1
CVE-2022-0248
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0161 - Before 1 Plugin
The ARI Fancy Lightbox WordPress plugin before 1.3.9 does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-0161
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25026 - Before 1 Plugin
The Patreon WordPress plugin before 1.8.2 does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-25026
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24958 - Before 1 Plugin
The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them
PLUGIN
Before 1
CVE-2021-24958
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24895 - Before 1 Plugin
The Cybersoldier WordPress plugin before 1.7.0 does not sanitise and escape the URL settings before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2021-24895
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0347 - Before 1 Plugin
The LoginPress | Custom Login Page Customizer WordPress plugin before 1.5.12 does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-0347
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0535 - Before 1 Plugin
The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 1
CVE-2022-0535
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0448 - Before 1 Plugin
The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
PLUGIN
Before 1
CVE-2022-0448
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0389 - Before 1 Plugin
The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 1
CVE-2022-0389
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0442 - Before 1 Plugin
The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.
PLUGIN
Before 1
CVE-2022-0442
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24821 - Before 1 Plugin
The Cost Calculator WordPress plugin before 1.6 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as the Text Preview field of a Project (injected on the edit project page)
PLUGIN
Before 1
CVE-2021-24821
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24777 - Before 1 Plugin
The view submission functionality in the Hotscot Contact Form WordPress plugin before 1.3 makes a get request with the sub_id parameter which not sanitised, escaped or validated before inserting to a SQL statement, leading to an SQL injection.
PLUGIN
Before 1
CVE-2021-24777
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0412 - Before 1 Plugin
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
PLUGIN
Before 1
CVE-2022-0412
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25081 - Before 1 Plugin
The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack
PLUGIN
Before 1
CVE-2021-25081
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25011 - Before 1 Plugin
The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.
PLUGIN
Before 1
CVE-2021-25011
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0345 - Before 1 Plugin
The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).
PLUGIN
Before 1
CVE-2022-0345
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24730 - Before 1 Plugin
The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media.
PLUGIN
Before 1
CVE-2021-24730
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0234 - Before 1 Plugin
The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape the woocs_in_order_currency parameter of the woocs_get_products_price_html AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2022-0234
Risk Score