Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-23912 - Changeset Plugin
The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not sanitise and escape the id parameter before outputting it back in an attribute, leading to a Reflected cross-Site Scripting
PLUGIN
Changeset
CVE-2022-23912
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0360 - Changeset Plugin
The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
PLUGIN
Changeset
CVE-2022-0360
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25081 - Changeset Plugin
The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack
PLUGIN
Changeset
CVE-2021-25081
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0189 - Changeset Plugin
The WP RSS Aggregator WordPress plugin before 4.20 does not sanitise and escape the id parameter in the wprss_fetch_items_row_action AJAX action before outputting it back in the response, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2022-0189
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0150 - Changeset Plugin
The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2022-0150
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25112 - Changeset Plugin
The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2021-25112
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25011 - Changeset Plugin
The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.
PLUGIN
Changeset
CVE-2021-25011
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25118 - Changeset Plugin
The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.
PLUGIN
Changeset
CVE-2021-25118
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24920 - Changeset Plugin
The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Changeset
CVE-2021-24920
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0328 - Changeset Plugin
The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Changeset
CVE-2022-0328
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24913 - Changeset Plugin
The Logo Showcase with Slick Slider WordPress plugin before 2.0.1 does not have CSRF check in the lswss_save_attachment_data AJAX action, allowing attackers to make a logged in high privilege user, change title, description, alt text, and URL of arbitrary uploaded media.
PLUGIN
Changeset
CVE-2021-24913
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24864 - Changeset Plugin
The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue
PLUGIN
Changeset
CVE-2021-24864
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0228 - Changeset Plugin
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection
PLUGIN
Changeset
CVE-2022-0228
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0252 - Changeset Plugin
The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2022-0252
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0234 - Changeset Plugin
The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape the woocs_in_order_currency parameter of the woocs_get_products_price_html AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting
PLUGIN
Changeset
CVE-2022-0234
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0313 - Changeset Plugin
The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Changeset
CVE-2022-0313
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0199 - Changeset Plugin
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack
PLUGIN
Changeset
CVE-2022-0199
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0164 - Changeset Plugin
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
PLUGIN
Changeset
CVE-2022-0164
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25082 - Changeset Plugin
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
PLUGIN
Changeset
CVE-2021-25082
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2021-25069 - Changeset Plugin
The Download Manager WordPress plugin before 3.2.34 does not sanitise and escape the package_ids parameter before using it in a SQL statement, leading to a SQL injection, which can also be exploited to cause a Reflected Cross-Site Scripting issue
PLUGIN
Changeset
CVE-2021-25069
Risk Score