Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-3207 - Before 4 Plugin
The Simple File List WordPress plugin before 4.4.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2022-3207
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2981 - Before 4 Plugin
The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
PLUGIN
Before 4
CVE-2022-2981
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2554 - Before 4 Plugin
The Enable Media Replace WordPress plugin before 4.0.0 does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example
PLUGIN
Before 4
CVE-2022-2554
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2628 - Before 4 Plugin
The DSGVO All in one for WP WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2022-2628
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2022-3062 - Before 4 Plugin
The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-3062
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2565 - Before 4 Plugin
The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins
PLUGIN
Before 4
CVE-2022-2565
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2638 - Before 4 Plugin
The Export All URLs WordPress plugin before 4.4 does not validate the path of the file to be removed on the system which is supposed to be the CSV file. This could allow high privilege users to delete arbitrary file from the server
PLUGIN
Before 4
CVE-2022-2638
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2599 - Before 4 Plugin
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.21.83 does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting
PLUGIN
Before 4
CVE-2022-2599
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2034 - Before 4 Plugin
The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
PLUGIN
Before 4
CVE-2022-2034
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2080 - Before 4 Plugin
The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student
PLUGIN
Before 4
CVE-2022-2080
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2557 - Before 4 Plugin
The Team WordPress plugin before 4.1.2 contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the user
PLUGIN
Before 4
CVE-2022-2557
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1932 - Before 4 Plugin
The Rezgo Online Booking WordPress plugin before 4.1.8 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting, which can be exploited either via a LFI in an AJAX action, or direct call to the affected file
PLUGIN
Before 4
CVE-2022-1932
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2398 - Before 4 Plugin
The WordPress Comments Fields WordPress plugin before 4.1 does not escape Field Error Message, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 4
CVE-2022-2398
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2317 - Before 4 Plugin
The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter.
PLUGIN
Before 4
CVE-2022-2317
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2278 - Before 4 Plugin
The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2022-2278
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2273 - Before 4 Plugin
The Simple Membership WordPress plugin before 4.1.3 does not properly validate the membership_level parameter when editing a profile, allowing members to escalate to a higher membership level by using a crafted POST request.
PLUGIN
Before 4
CVE-2022-2273
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2241 - Before 4 Plugin
The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of validation, sanitisation and escaping in some of them, it could also lead to Stored XSS issues
PLUGIN
Before 4
CVE-2022-2241
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1551 - Before 4 Plugin
The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.
PLUGIN
Before 4
CVE-2022-1551
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2222 - Before 4 Plugin
The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup.
PLUGIN
Before 4
CVE-2022-2222
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1672 - Before 4 Plugin
The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks
PLUGIN
Before 4
CVE-2022-1672
Risk Score