Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1695 - Before 2 Plugin
The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form.
PLUGIN
Before 2
CVE-2022-1695
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0779 - Before 2 Plugin
The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads
PLUGIN
Before 2
CVE-2022-0779
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1577 - Before 2 Plugin
The Database Backup for WordPress plugin before 2.5.2 does not have CSRF check in place when updating the schedule backup settings, which could allow an attacker to make a logged in admin change them via a CSRF attack. This could lead to cases where attackers can send backup notification emails to themselves, which contain more details. Or disable the automatic backup schedule
PLUGIN
Before 2
CVE-2022-1577
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1527 - Before 2 Plugin
The WP 2FA WordPress plugin before 2.2.1 does not sanitise and escape a parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-1527
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0376 - Before 2 Plugin
The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 2
CVE-2022-0376
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1298 - Before 2 Plugin
The Tabs WordPress plugin before 2.2.8 does not sanitise and escape Tab descriptions, which could allow high privileged users with a role as low as editor to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 2
CVE-2022-1298
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0781 - Before 2 Plugin
The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action (available to unauthenticated users), leading to an SQL injection
PLUGIN
Before 2
CVE-2022-0781
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0346 - Before 2 Plugin
The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
PLUGIN
Before 2
CVE-2022-0346
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1465 - Before 2 Plugin
The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.9 does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue.
PLUGIN
Before 2
CVE-2022-1465
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1303 - Before 2 Plugin
The Slide Anything WordPress plugin before 2.3.44 does not sanitize and escape sliders' description, which could allow high privilege users such as editor and above to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 2
CVE-2022-1303
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1273 - Before 2 Plugin
The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE
PLUGIN
Before 2
CVE-2022-1273
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0783 - Before 2 Plugin
The Multiple Shipping Address Woocommerce WordPress plugin before 2.0 does not properly sanitise and escape numerous parameters before using them in SQL statements via some AJAX actions available to unauthenticated users, leading to unauthenticated SQL injections
PLUGIN
Before 2
CVE-2022-0783
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0876 - Before 2 Plugin
The Social comments by WpDevArt WordPress plugin before 2.5.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 2
CVE-2022-0876
Risk Score
Threat Entry
Updated 2025-10-17
CVE-2022-1092 - Before 2 Plugin
The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog
PLUGIN
Before 2
CVE-2022-1092
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0541 - Before 2 Plugin
The flo-launch WordPress plugin before 2.4.1 injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flo_custom_table_prefix cookie to an arbitrary value.
PLUGIN
Before 2
CVE-2022-0541
Risk Score
Threat Entry
Updated 2025-10-17
CVE-2022-0363 - Before 2 Plugin
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.
PLUGIN
Before 2
CVE-2022-0363
Risk Score
Threat Entry
Updated 2025-10-17
CVE-2022-0287 - Before 2 Plugin
The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog
PLUGIN
Before 2
CVE-2022-0287
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0765 - Before 2 Plugin
The Loco Translate WordPress plugin before 2.6.1 does not properly remove inline events from elements in the source translation strings before outputting them in the editor in the plugin admin panel, allowing any user with access to the plugin (Translator and Administrator by default) to add arbitrary javascript payloads to the source strings leading to a stored cross-site scripting (XSS) vulnerability.
PLUGIN
Before 2
CVE-2022-0765
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1054 - Before 2 Plugin
The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation checks when exporting its entries, and has the export function hooked to the init action. As a result, unauthenticated attackers could call it and retrieve PII such as first name, last name and email address of user registered for events
PLUGIN
Before 2
CVE-2022-1054
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2022-0706 - Before 2 Plugin
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
PLUGIN
Before 2
CVE-2022-0706
Risk Score