Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-2891 - Before 2 Plugin
The WP 2FA WordPress plugin before 2.3.0 uses comparison operators that don't mitigate time-based attacks, which could be abused to leak information about the authentication codes being compared.
PLUGIN
Before 2
CVE-2022-2891
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3128 - Before 2 Plugin
The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2022-3128
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2022-3076 - Before 2 Plugin
The CM Download Manager WordPress plugin before 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example.
PLUGIN
Before 2
CVE-2022-3076
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2022-2352 - Before 2 Plugin
The Post SMTP Mailer/Email Log WordPress plugin before 2.1.7 does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example.
PLUGIN
Before 2
CVE-2022-2352
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2022-1755 - Before 2 Plugin
The SVG Support WordPress plugin before 2.5 does not properly handle SVG added via an URL, which could allow users with a role as low as author to perform Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2022-1755
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3141 - Before 2 Plugin
The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.
PLUGIN
Before 2
CVE-2022-3141
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3036 - Before 2 Plugin
The Gettext override translations WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2022-3036
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1591 - Before 2 Plugin
The WordPress Ping Optimizer WordPress plugin before 2.35.1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 2
CVE-2022-1591
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2799 - Before 2 Plugin
The Affiliates Manager WordPress plugin before 2.9.14 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 2
CVE-2022-2799
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2798 - Before 2 Plugin
The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data
PLUGIN
Before 2
CVE-2022-2798
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2655 - Before 2 Plugin
The Classified Listing Pro WordPress plugin before 2.0.20 does not escape a generated URL before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-2655
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2022-2654 - Before 2 Theme
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting
THEME
Before 2
CVE-2022-2654
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2737 - Before 2 Plugin
The WP STAGING WordPress plugin before 2.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2022-2737
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2351 - Before 2 Plugin
The Post SMTP Mailer/Email Log WordPress plugin before 2.1.4 does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed.
PLUGIN
Before 2
CVE-2022-2351
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2543 - Before 2 Plugin
The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts
PLUGIN
Before 2
CVE-2022-2543
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2597 - Before 2 Plugin
The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts
PLUGIN
Before 2
CVE-2022-2597
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2267 - Before 2 Plugin
The Mailchimp for WooCommerce WordPress plugin before 2.7.1 has an AJAX action that allows any logged in users (such as subscriber) to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example
PLUGIN
Before 2
CVE-2022-2267
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2556 - Before 2 Plugin
The Mailchimp for WooCommerce WordPress plugin before 2.7.2 has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example
PLUGIN
Before 2
CVE-2022-2556
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2558 - Before 2 Plugin
The Simple Job Board WordPress plugin before 2.10.0 is susceptible to Directory Listing which allows the public listing of uploaded resumes in certain configurations.
PLUGIN
Before 2
CVE-2022-2558
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2388 - Before 2 Plugin
The WP Coder WordPress plugin before 2.5.3 does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack
PLUGIN
Before 2
CVE-2022-2388
Risk Score