Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-0969 - Changeset Plugin
The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Changeset
CVE-2022-0969
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1165 - Changeset Plugin
The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.
PLUGIN
Changeset
CVE-2022-1165
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0958 - Changeset Plugin
The Mark Posts WordPress plugin before 2.0.1 does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Changeset
CVE-2022-0958
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0431 - Changeset Plugin
The Insights from Google PageSpeed WordPress plugin before 4.0.4 does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2022-0431
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0825 - Changeset Plugin
The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it.
PLUGIN
Changeset
CVE-2022-0825
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0884 - Changeset Plugin
The Profile Builder WordPress plugin before 3.6.8 does not sanitise and escape Form Fields titles and description, which could allow high privilege user such as admin to perform Criss-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Changeset
CVE-2022-0884
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0595 - Changeset Plugin
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be uploaded by default via the dnd_codedropz_upload AJAX action, which could lead to Stored Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2022-0595
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0479 - Changeset Plugin
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link
PLUGIN
Changeset
CVE-2022-0479
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24962 - Changeset Plugin
The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution.
PLUGIN
Changeset
CVE-2021-24962
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0493 - Changeset Plugin
The String locator WordPress plugin before 2.5.0 does not properly validate the path of the files to be searched, allowing high privilege users such as admin to query arbitrary files on the web server via a path traversal vector. Furthermore, due to a flaw in the search, allowing a pattern to be provided, which will be used to output the relevant matches from the matching file, all content of the file can be disclosed.
PLUGIN
Changeset
CVE-2022-0493
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0760 - Changeset Plugin
The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection
PLUGIN
Changeset
CVE-2022-0760
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0747 - Changeset Plugin
The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id parameter before using it in a SQL statement via the qcld_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection
PLUGIN
Changeset
CVE-2022-0747
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0739 - Changeset Plugin
The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection
PLUGIN
Changeset
CVE-2022-0739
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0694 - Changeset Plugin
The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection
PLUGIN
Changeset
CVE-2022-0694
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0640 - Changeset Plugin
The Pricing Table Builder WordPress plugin before 1.1.5 does not sanitize and escape the postid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Changeset
CVE-2022-0640
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0628 - Changeset Plugin
The Mega Menu WordPress plugin before 3.0.8 does not sanitize and escape the _wpnonce parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Changeset
CVE-2022-0628
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0601 - Changeset Plugin
The Countdown, Coming Soon, Maintenance WordPress plugin before 2.2.9 does not sanitize and escape the post parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Changeset
CVE-2022-0601
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0684 - Changeset Plugin
The WP Home Page Menu WordPress plugin before 3.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Changeset
CVE-2022-0684
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0254 - Changeset Plugin
The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection
PLUGIN
Changeset
CVE-2022-0254
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0169 - Changeset Plugin
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
PLUGIN
Changeset
CVE-2022-0169
Risk Score