Threat Entry Updated 2024-11-21

CVE-2022-1967 - Before 9 Plugin

The WP Championship WordPress plugin before 9.3 is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues

PLUGIN Before 9

CVE-2022-1967

MEDIUM CVSS 6.5 2022-07-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-0784 - Before 9 Plugin

The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

PLUGIN Before 9

CVE-2022-0784

CRITICAL CVSS 9.8 2022-03-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-25031 - Before 9 Plugin

The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

PLUGIN Before 9

CVE-2021-25031

MEDIUM CVSS 6.1 2022-01-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24374 - Before 9 Plugin

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.

PLUGIN Before 9

CVE-2021-24374

MEDIUM CVSS 5.3 2021-06-21

Risk Score

Open Full Technical Breakdown