Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1761 - Through 2 Plugin
The Peter’s Collaboration E-mails WordPress plugin through 2.2.0 is vulnerable to CSRF due to missing nonce checks. This allows the change of its settings, which can be used to lower the required user level, change texts, the used email address and more.
PLUGIN
Through 2
CVE-2022-1761
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1781 - Through 2 Plugin
The postTabs WordPress plugin through 2.10.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
PLUGIN
Through 2
CVE-2022-1781
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1763 - Through 2 Plugin
Due to missing checks the Static Page eXtended WordPress plugin through 2.1 is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific features. This could also lead to Stored Cross-Site Scripting due to the lack of escaping in some of the settings
PLUGIN
Through 2
CVE-2022-1763
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1759 - Through 2 Plugin
The RB Internal Links WordPress plugin through 2.0.16 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, as well as perform Stored Cross-Site Scripting attacks due to the lack of sanitisation and escaping
PLUGIN
Through 2
CVE-2022-1759
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0827 - Through 2 Plugin
The Bestbooks WordPress plugin through 2.6.3 does not sanitise and escape some parameters before using them in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
PLUGIN
Through 2
CVE-2022-0827
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1299 - Through 2 Plugin
The Slideshow WordPress plugin through 2.3.1 does not sanitize and escape some of its default slideshow settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Through 2
CVE-2022-1299
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1294 - Through 2 Plugin
The IMDB info box WordPress plugin through 2.0 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Through 2
CVE-2022-1294
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1268 - Through 2 Plugin
The Donate Extra WordPress plugin through 2.02 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected cross-Site Scripting
PLUGIN
Through 2
CVE-2022-1268
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1014 - Through 2 Plugin
The WP Contacts Manager WordPress plugin through 2.2.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability.
PLUGIN
Through 2
CVE-2022-1014
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1418 - Through 2 Plugin
The Social Stickers WordPress plugin through 2.2.9 does not have CSRF checks in place when updating its Social Network settings, and does not escape some of these fields, which could allow attackers to make a logged-in admin change them and lead to Stored Cross-Site Scripting issues.
PLUGIN
Through 2
CVE-2022-1418
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0874 - Through 2 Plugin
The WP Social Buttons WordPress plugin through 2.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Through 2
CVE-2022-0874
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1390 - Through 2 Plugin
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique
PLUGIN
Through 2
CVE-2022-1390
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0989 - Through 2 Plugin
An unprivileged user could use the functionality of the NS WooCommerce Watermark WordPress plugin through 2.11.3 to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain.
PLUGIN
Through 2
CVE-2022-0989
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0404 - Through 2 Plugin
The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged in user (with roles as low as Subscriber) to set arbitrary options to true, potentially leading to Denial of Service by breaking the site.
PLUGIN
Through 2
CVE-2022-0404
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25048 - Through 2 Plugin
The KingComposer WordPress plugin through 2.9.6 does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them
PLUGIN
Through 2
CVE-2021-25048
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0679 - Through 2 Plugin
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.
PLUGIN
Through 2
CVE-2022-0679
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25071 - Through 2 Plugin
The WordPress plugin through 2.0.1 does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
PLUGIN
Through 2
CVE-2021-25071
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25012 - Through 2 Plugin
The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and escape multiple parameters before outputting them back in admin dashboard pages, leading to Reflected Cross-Site Scripting issues
PLUGIN
Through 2
CVE-2021-25012
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24978 - Through 2 Plugin
The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog
PLUGIN
Through 2
CVE-2021-24978
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0165 - Through 2 Plugin
The Page Builder KingComposer WordPress plugin through 2.9.6 does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users
PLUGIN
Through 2
CVE-2022-0165
Risk Score