Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1598 - Before 5 Plugin
The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site.
PLUGIN
Before 5
CVE-2022-1598
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1421 - Before 5 Theme
The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack
THEME
Before 5
CVE-2022-1421
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1568 - Before 5 Plugin
The Team Members WordPress plugin before 5.1.1 does not escape some of its Team settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 5
CVE-2022-1568
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1425 - Before 5 Plugin
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the message_id of the wpqa_message_view ajax action belongs to the requesting user, leading to any user being able to read messages for any other users via a Insecure Direct Object Reference (IDOR) vulnerability.
PLUGIN
Before 5
CVE-2022-1425
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1349 - Before 5 Plugin
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not validate that the value passed to the image_id parameter of the ajax action wpqa_remove_image belongs to the requesting user, allowing any users (with privileges as low as Subscriber) to delete the profile pictures of any other user.
PLUGIN
Before 5
CVE-2022-1349
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1051 - Before 5 Plugin
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.
PLUGIN
Before 5
CVE-2022-1051
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0771 - Before 5 Plugin
The SiteSuperCharger WordPress plugin before 5.2.0 does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions (available to both unauthenticated and authenticated users), leading to Unauthenticated SQL Injections
PLUGIN
Before 5
CVE-2022-0771
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0428 - Before 5 Plugin
The Content Egg WordPress plugin before 5.3.0 does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 5
CVE-2022-0428
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0662 - Before 5 Plugin
The AdRotate WordPress plugin before 5.8.23 does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 5
CVE-2022-0662
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0649 - Before 5 Plugin
The AdRotate WordPress plugin before 5.8.23 does not escape Group Names, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Before 5
CVE-2022-0649
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1152 - Before 5 Plugin
The Menubar WordPress plugin before 5.8 does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting
PLUGIN
Before 5
CVE-2022-1152
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0403 - Before 5 Plugin
The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.
PLUGIN
Before 5
CVE-2022-0403
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0787 - Before 5 Plugin
The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections
PLUGIN
Before 5
CVE-2022-0787
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0229 - Before 5 Plugin
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
PLUGIN
Before 5
CVE-2022-0229
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0590 - Before 5 Plugin
The BulletProof Security WordPress plugin before 5.8 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 5
CVE-2022-0590
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0254 - Before 5 Plugin
The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection
PLUGIN
Before 5
CVE-2022-0254
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0439 - Before 5 Plugin
The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.
PLUGIN
Before 5
CVE-2022-0439
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2022-0410 - Before 5 Plugin
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.6 does not sanitise and escape the id parameter before using it in a SQL statement via the refUrlDetails AJAX action, available to any authenticated user, leading to a SQL injection
PLUGIN
Before 5
CVE-2022-0410
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0420 - Before 5 Plugin
The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks
PLUGIN
Before 5
CVE-2022-0420
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0267 - Before 5 Plugin
The AdRotate WordPress plugin before 5.8.22 does not sanitise and escape the adrotate_action before using it in a SQL statement via the adrotate_request_action function available to admins, leading to a SQL injection
PLUGIN
Before 5
CVE-2022-0267
Risk Score