Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-36375 - Changeset Plugin
Authenticated (high role user) WordPress Options Change vulnerability in Biplob Adhikari's Tabs plugin
PLUGIN
Changeset
CVE-2022-36375
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-33969 - Changeset Plugin
Authenticated WordPress Options Change vulnerability in Biplob Adhikari's Flipbox plugin
PLUGIN
Changeset
CVE-2022-33969
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2117 - Changeset Plugin
The GiveWP plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to, and including, 2.20.2 via the /donor-wall REST-API endpoint which provides unauthenticated users with donor information even when the donor wall is not enabled. This functionality has been completely removed in version 2.20.2.
PLUGIN
Changeset
CVE-2022-2117
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-2001 - Changeset Plugin
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2022-2001
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-2108 - Changeset Plugin
The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site.
PLUGIN
Changeset
CVE-2022-2108
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-1442 - Changeset Plugin
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
PLUGIN
Changeset
CVE-2022-1442
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0948 - Changeset Plugin
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection
PLUGIN
Changeset
CVE-2022-0948
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1281 - Changeset Plugin
The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible.
PLUGIN
Changeset
CVE-2022-1281
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0191 - Changeset Plugin
The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.7 does not have CSRF check deleting banned users, which could allow attackers to make a logged in admin remove arbitrary bans
PLUGIN
Changeset
CVE-2022-0191
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-0992 - Changeset Plugin
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.
PLUGIN
Changeset
CVE-2022-0992
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1329 - Changeset Plugin
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
PLUGIN
Changeset
CVE-2022-1329
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0993 - Changeset Plugin
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects versions up to, and including, 1.2.5.
PLUGIN
Changeset
CVE-2022-0993
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1001 - Changeset Plugin
The WP Downgrade WordPress plugin before 1.2.3 only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed
PLUGIN
Changeset
CVE-2022-1001
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2022-0706 - Changeset Plugin
The Easy Digital Downloads WordPress plugin before 2.11.6 does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
PLUGIN
Changeset
CVE-2022-0706
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2022-0707 - Changeset Plugin
The Easy Digital Downloads WordPress plugin before 2.11.6 does not have CSRF check in place when inserting payment notes, which could allow attackers to make a logged admin insert arbitrary notes via a CSRF attack
PLUGIN
Changeset
CVE-2022-0707
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1023 - Changeset Plugin
The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file
PLUGIN
Changeset
CVE-2022-1023
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1008 - Changeset Plugin
The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
PLUGIN
Changeset
CVE-2022-1008
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1006 - Changeset Plugin
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks
PLUGIN
Changeset
CVE-2022-1006
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1007 - Changeset Plugin
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2022-1007
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0471 - Changeset Plugin
The Favicon by RealFaviconGenerator WordPress plugin before 1.3.23 does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2022-0471
Risk Score