Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1090 - Through 1 Plugin
The Good & Bad Comments WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Through 1
CVE-2022-1090
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0661 - Through 1 Plugin
The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.
PLUGIN
Through 1
CVE-2022-0661
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1088 - Through 1 Plugin
The Page Security & Membership WordPress plugin through 1.5.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Through 1
CVE-2022-1088
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0830 - Through 1 Plugin
The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.
PLUGIN
Through 1
CVE-2022-0830
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25113 - Through 1 Plugin
The Dropdown Menu Widget WordPress plugin through 1.9.7 does not have authorisation and CSRF checks when saving its settings, allowing low privilege users such as subscriber to update them. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
PLUGIN
Through 1
CVE-2021-25113
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0647 - Through 1 Plugin
The Bulk Creator WordPress plugin through 1.0.1 does not sanitize and escape the post_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Through 1
CVE-2022-0647
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0643 - Through 1 Plugin
The Bank Mellat WordPress plugin through 1.3.7 does not sanitize and escape the orderId parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Through 1
CVE-2022-0643
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0621 - Through 1 Plugin
The dTabs WordPress plugin through 1.4 does not sanitize and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Through 1
CVE-2022-0621
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0619 - Through 1 Plugin
The Database Peek WordPress plugin through 1.2 does not sanitize and escape the match parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Through 1
CVE-2022-0619
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25068 - Through 1 Plugin
The Sync WooCommerce Product feed to Google Shopping WordPress plugin through 1.2.4 uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard
PLUGIN
Through 1
CVE-2021-25068
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-22735 - Through 1 Plugin
The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks
PLUGIN
Through 1
CVE-2022-22735
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-22734 - Through 1 Plugin
The Simple Quotation WordPress plugin through 1.3.2 does not have CSRF check when creating or editing a quote and does not sanitise and escape Quotes. As a result, attacker could make a logged in admin create or edit arbitrary quote, and put Cross-Site Scripting payloads in them
PLUGIN
Through 1
CVE-2022-22734
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0703 - Through 1 Plugin
The GD Mylist WordPress plugin through 1.1.1 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Through 1
CVE-2022-0703
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0702 - Through 1 Plugin
The Petfinder Listings WordPress plugin through 1.0.18 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Through 1
CVE-2022-0702
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0701 - Through 1 Plugin
The SEO 301 Meta WordPress plugin through 1.9.1 does not escape its Request and Destination settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Through 1
CVE-2022-0701
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0230 - Through 1 Plugin
The Better WordPress Google XML Sitemaps WordPress plugin through 1.4.1 does not sanitise and escape its logs when outputting them in the admin dashboard, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins
PLUGIN
Through 1
CVE-2022-0230
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24959 - Through 1 Plugin
The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
PLUGIN
Through 1
CVE-2021-24959
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24950 - Through 1 Plugin
The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks
PLUGIN
Through 1
CVE-2021-24950
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24897 - Through 1 Plugin
The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
PLUGIN
Through 1
CVE-2021-24897
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24966 - Through 1 Plugin
The Error Log Viewer WordPress plugin through 1.1.1 does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder
PLUGIN
Through 1
CVE-2021-24966
Risk Score