Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1020 - Before 3 Plugin
The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument
PLUGIN
Before 3
CVE-2022-1020
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0780 - Before 3 Plugin
The SearchIQ WordPress plugin before 3.9 contains a flag to disable the verification of CSRF nonces, granting unauthenticated attackers access to the siq_ajax AJAX action and allowing them to perform Cross-Site Scripting attacks due to the lack of sanitisation and escaping in the customCss parameter
PLUGIN
Before 3
CVE-2022-0780
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0994 - Before 3 Plugin
The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 3
CVE-2022-0994
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0142 - Before 3 Plugin
The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.
PLUGIN
Before 3
CVE-2022-0142
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0141 - Before 3 Plugin
The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
PLUGIN
Before 3
CVE-2022-0141
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0140 - Before 3 Plugin
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.
PLUGIN
Before 3
CVE-2022-0140
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1008 - Before 3 Plugin
The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
PLUGIN
Before 3
CVE-2022-1008
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2022-0828 - Before 3 Plugin
The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.
PLUGIN
Before 3
CVE-2022-0828
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0314 - Before 3 Plugin
The Nimble Page Builder WordPress plugin before 3.2.2 does not sanitise and escape the preview-level-guid parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 3
CVE-2022-0314
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0969 - Before 3 Plugin
The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 3
CVE-2022-0969
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0840 - Before 3 Plugin
The Easy Social Icons WordPress plugin before 3.2.1 does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed.
PLUGIN
Before 3
CVE-2022-0840
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1165 - Before 3 Plugin
The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.
PLUGIN
Before 3
CVE-2022-1165
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0887 - Before 3 Plugin
The Easy Social Icons WordPress plugin before 3.1.4 does not sanitize the selected_icons attribute to the cnss_widget before using it in an SQL statement, leading to a SQL injection vulnerability.
PLUGIN
Before 3
CVE-2022-0887
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0884 - Before 3 Plugin
The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform Criss-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 3
CVE-2022-0884
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0641 - Before 3 Plugin
The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 3
CVE-2022-0641
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0833 - Before 3 Plugin
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data
PLUGIN
Before 3
CVE-2022-0833
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24746 - Before 3 Plugin
The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue.
PLUGIN
Before 3
CVE-2021-24746
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0450 - Before 3 Plugin
The Menu Image, Icons made easy WordPress plugin before 3.0.6 does not have authorisation and CSRF checks when saving menu settings, and does not validate, sanitise and escape them. As a result, any authenticate users, such as subscriber can update the settings or arbitrary menu and put Cross-Site Scripting payloads in them which will be triggered in the related menu in the frontend
PLUGIN
Before 3
CVE-2022-0450
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0628 - Before 3 Plugin
The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the _wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 3
CVE-2022-0628
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0591 - Before 3 Plugin
The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users
PLUGIN
Before 3
CVE-2022-0591
Risk Score