Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1576 - Before 2 Plugin
The WP Maintenance Mode & Coming Soon WordPress plugin before 2.4.5 is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack
PLUGIN
Before 2
CVE-2022-1576
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1951 - Before 2 Plugin
The core plugin for kitestudio WordPress plugin before 2.3.1 does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 2
CVE-2022-1951
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1910 - Before 2 Plugin
The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-1910
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1757 - Before 2 Plugin
The pagebar WordPress plugin before 2.70 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues
PLUGIN
Before 2
CVE-2022-1757
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1946 - Before 2 Plugin
The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2022-1946
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0250 - Before 2 Plugin
The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-0250
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1301 - Before 2 Plugin
The WP Contact Slider WordPress plugin before 2.4.7 does not sanitize and escape the Text to Display settings of sliders, which could allow high privileged users such as editor and above to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 2
CVE-2022-1301
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2022-2041 - Before 2 Plugin
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2022-2041
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2022-2040 - Before 2 Plugin
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2022-2040
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1776 - Before 2 Plugin
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.1.8 does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2022-1776
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1653 - Before 2 Plugin
The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks.
PLUGIN
Before 2
CVE-2022-1653
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1625 - Before 2 Plugin
The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites.
PLUGIN
Before 2
CVE-2022-1625
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1905 - Before 2 Plugin
The Events Made Easy WordPress plugin before 2.2.81 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Before 2
CVE-2022-1905
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1915 - Before 2 Plugin
The WP Zillow Review Slider WordPress plugin before 2.4 does not escape a settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite)
PLUGIN
Before 2
CVE-2022-1915
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1614 - Before 2 Plugin
The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions.
PLUGIN
Before 2
CVE-2022-1614
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1630 - Before 2 Plugin
The WP-EMail WordPress plugin before 2.69.0 does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack
PLUGIN
Before 2
CVE-2022-1630
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1603 - Before 2 Plugin
The Mail Subscribe List WordPress plugin before 2.1.4 does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list
PLUGIN
Before 2
CVE-2022-1603
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1772 - Before 2 Plugin
The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.
PLUGIN
Before 2
CVE-2022-1772
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0786 - Before 2 Plugin
The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users
PLUGIN
Before 2
CVE-2022-0786
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0745 - Before 2 Plugin
The Like Button Rating WordPress plugin before 2.6.45 allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body
PLUGIN
Before 2
CVE-2022-0745
Risk Score