Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-0441 - Before 2 Plugin
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin
PLUGIN
Before 2
CVE-2022-0441
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0434 - Before 2 Plugin
The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks
PLUGIN
Before 2
CVE-2022-0434
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0349 - Before 2 Plugin
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection
PLUGIN
Before 2
CVE-2022-0349
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0440 - Before 2 Plugin
The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog (ie DISALLOW_UNFILTERED_HTML, DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants set to true)
PLUGIN
Before 2
CVE-2022-0440
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0445 - Before 2 Plugin
The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack
PLUGIN
Before 2
CVE-2022-0445
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0422 - Before 2 Plugin
The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Before 2
CVE-2022-0422
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0163 - Before 2 Plugin
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form.
PLUGIN
Before 2
CVE-2022-0163
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25039 - Before 2 Plugin
The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.0 does not sanitise and escape the wmcc_content_type, wmcc_source_blog and wmcc_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PLUGIN
Before 2
CVE-2021-25039
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25038 - Before 2 Plugin
The WordPress Multisite User Sync/Unsync WordPress plugin before 2.1.2 does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
PLUGIN
Before 2
CVE-2021-25038
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0411 - Before 2 Plugin
The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection
PLUGIN
Before 2
CVE-2022-0411
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24920 - Before 2 Plugin
The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 2
CVE-2021-24920
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4222 - Before 2 Plugin
The WP-Paginate WordPress plugin before 2.1.4 does not sanitise and escape its preset settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
PLUGIN
Before 2
CVE-2021-4222
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24913 - Before 2 Plugin
The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media.
PLUGIN
Before 2
CVE-2021-24913
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0255 - Before 2 Plugin
The Database Backup for WordPress plugin before 2.5.1 does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue
PLUGIN
Before 2
CVE-2022-0255
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0288 - Before 2 Plugin
The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do not sanitise and escape the html_element_selection parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-0288
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0252 - Before 2 Plugin
The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-0252
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25100 - Before 2 Plugin
The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2021-25100
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25099 - Before 2 Plugin
The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2021-25099
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25060 - Before 2 Plugin
The Five Star Business Profile and Schema WordPress plugin before 2.1.7 does not have any authorisation and CSRF in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting issues
PLUGIN
Before 2
CVE-2021-25060
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0208 - Before 2 Plugin
The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2022-0208
Risk Score