Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-07
CVE-2022-0707 - Before 2 Plugin
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
PLUGIN
Before 2
CVE-2022-0707
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0447 - Before 2 Plugin
The Post Grid WordPress plugin before 2.1.16 does not sanitise and escape the post_types parameter before outputting it back in the response of the post_grid_update_taxonomies_terms_by_posttypes AJAX action, available to any authenticated users, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-0447
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25090 - Before 2 Plugin
The Portfolio Gallery, Product Catalog WordPress plugin before 2.1.0 does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages where a Portfolio is embed
PLUGIN
Before 2
CVE-2021-25090
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0728 - Before 2 Plugin
The Easy Smooth Scroll Links WordPress plugin before 2.23.1 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 2
CVE-2022-0728
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24986 - Before 2 Plugin
The Post Grid WordPress plugin before 2.1.16 does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form
PLUGIN
Before 2
CVE-2021-24986
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1167 - Before 2 Theme
There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters.
THEME
Before 2
CVE-2022-1167
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0958 - Before 2 Plugin
The Mark Posts WordPress plugin before 2.0.1 does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 2
CVE-2022-0958
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0537 - Before 2 Plugin
The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write…
PLUGIN
Before 2
CVE-2022-0537
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0846 - Before 2 Plugin
The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users
PLUGIN
Before 2
CVE-2022-0846
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0770 - Before 2 Plugin
The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or page
PLUGIN
Before 2
CVE-2022-0770
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0600 - Before 2 Plugin
The Conference Scheduler WordPress plugin before 2.4.3 does not sanitize and escape the tab parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 2
CVE-2022-0600
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0397 - Before 2 Plugin
The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.4 does not sanitise and escape the key parameter before outputting it back in the wishlist_quickview AJAX action's response (available to any authenticated user), leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-0397
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0493 - Before 2 Plugin
The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. Furthermore, due to a flaw in the search, allowing a pattern to be provided, which will be used to output the relevant matches from the matching file, all content of the file can be disclosed.
PLUGIN
Before 2
CVE-2022-0493
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0388 - Before 2 Plugin
The Interactive Medical Drawing of Human Body WordPress plugin before 2.6 does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 2
CVE-2022-0388
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0658 - Before 2 Plugin
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
PLUGIN
Before 2
CVE-2022-0658
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0601 - Before 2 Plugin
The Countdown, Coming Soon, Maintenance WordPress plugin before 2.2.9 does not sanitize and escape the post parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 2
CVE-2022-0601
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0503 - Before 2 Plugin
The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.2 does not sanitise and escape the s parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in the network dashboard
PLUGIN
Before 2
CVE-2022-0503
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0674 - Before 2 Plugin
The Kunze Law WordPress plugin before 2.1 does not escape its 'E-Mail Error "From" Address' settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 2
CVE-2022-0674
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0659 - Before 2 Plugin
The Sync QCloud COS WordPress plugin before 2.0.1 does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 2
CVE-2022-0659
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0147 - Before 2 Plugin
The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2022-0147
Risk Score