Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1170 - Before 4 Theme
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests.
THEME
Before 4
CVE-2022-1170
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0431 - Before 4 Plugin
The Insights from Google PageSpeed WordPress plugin before 4.0.4 does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-0431
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0818 - Before 4 Plugin
The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin.
PLUGIN
Before 4
CVE-2022-0818
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0479 - Before 4 Plugin
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link
PLUGIN
Before 4
CVE-2022-0479
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0747 - Before 4 Plugin
The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id parameter before using it in a SQL statement via the qcld_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection
PLUGIN
Before 4
CVE-2022-0747
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0681 - Before 4 Plugin
The Simple Membership WordPress plugin before 4.1.0 does not have CSRF check in place when deleting Transactions, which could allow attackers to make a logged in admin delete arbitrary transactions via a CSRF attack
PLUGIN
Before 4
CVE-2022-0681
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0449 - Before 4 Plugin
The Flexi WordPress plugin before 4.20 does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-0449
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2021-24952 - Before 4 Plugin
The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks.
PLUGIN
Before 4
CVE-2021-24952
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24961 - Before 4 Plugin
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2021-24961
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24960 - Before 4 Plugin
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2021-24960
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24826 - Before 4 Plugin
The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed)
PLUGIN
Before 4
CVE-2021-24826
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24825 - Before 4 Plugin
The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as perform Local File Inclusion attacks as PHP files will be executed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when either the unfiltered_html or file_edit is disallowed)
PLUGIN
Before 4
CVE-2021-24825
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24824 - Before 4 Plugin
The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination with WooCommerce, the email address of orders can be retrieved
PLUGIN
Before 4
CVE-2021-24824
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24778 - Before 4 Plugin
The test parameter of the xmlfeed in the Tradetracker-Store WordPress plugin before 4.6.60 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
PLUGIN
Before 4
CVE-2021-24778
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0377 - Before 4 Plugin
Users of the LearnPress WordPress plugin before 4.1.5 can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request, the name of the user-supplied image is changed with a MD5 value. This process can be conducted only when type of the image is JPG or PNG. An attacker can use…
PLUGIN
Before 4
CVE-2022-0377
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0189 - Before 4 Plugin
The WP RSS Aggregator WordPress plugin before 4.20 does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-0189
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0328 - Before 4 Plugin
The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Before 4
CVE-2022-0328
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24864 - Before 4 Plugin
The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue
PLUGIN
Before 4
CVE-2021-24864
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0228 - Before 4 Plugin
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection
PLUGIN
Before 4
CVE-2022-0228
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0313 - Before 4 Plugin
The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Before 4
CVE-2022-0313
Risk Score