Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-2425 - Through 3 Plugin
The WP DS Blog Map WordPress plugin through 3.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Through 3
CVE-2022-2425
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2410 - Through 3 Plugin
The mTouch Quiz WordPress plugin through 3.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Through 3
CVE-2022-2410
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2151 - Through 3 Plugin
The Best Contact Management Software WordPress plugin through 3.7.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Through 3
CVE-2022-2151
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1842 - Through 3 Plugin
The OpenBook Book Data WordPress plugin through 3.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well
PLUGIN
Through 3
CVE-2022-1842
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1113 - Through 3 Plugin
The Flower Delivery by Florist One WordPress plugin through 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setups)
PLUGIN
Through 3
CVE-2022-1113
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1826 - Through 3 Plugin
The Cross-Linker WordPress plugin through 3.0.1.9 does not have CSRF check in place when creating Cross-Links, which could allow attackers to make a logged in admin perform such action via a CSRF attack
PLUGIN
Through 3
CVE-2022-1826
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1780 - Through 3 Plugin
The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack which could also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
PLUGIN
Through 3
CVE-2022-1780
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0863 - Through 3 Plugin
The WP SVG Icons WordPress plugin through 3.2.3 does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution.
PLUGIN
Through 3
CVE-2022-0863
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1645 - Through 3 Plugin
The Amazon Link WordPress plugin through 3.2.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Through 3
CVE-2022-1645
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1395 - Through 3 Plugin
The Easy FAQ with Expanding Text WordPress plugin through 3.2.8.3.1 does not sanitise and escape its settings, allowing high privilege users to perform Cross-Site Scripting attacks when unfiltered_html is disallowed
PLUGIN
Through 3
CVE-2022-1395
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1182 - Through 3 Plugin
The Visual Slide Box Builder WordPress plugin through 3.2.9 does not sanitise and escape various parameters before using them in SQL statements via some of its AJAX actions available to any authenticated users (such as subscriber), leading to SQL Injections
PLUGIN
Through 3
CVE-2022-1182
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0817 - Through 3 Plugin
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users
PLUGIN
Through 3
CVE-2022-0817
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0898 - Through 3 Plugin
The IgniteUp WordPress plugin through 3.4.1 does not sanitise and escape some fields when high privilege users don't have the unfiltered_html capability, which could lead to Stored Cross-Site Scripting issues
PLUGIN
Through 3
CVE-2022-0898
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0769 - Through 3 Plugin
The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the rating_vote AJAX action (available to both unauthenticated and authenticated users), leading to an SQL Injection.
PLUGIN
Through 3
CVE-2022-0769
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1063 - Through 3 Plugin
The Thank Me Later WordPress plugin through 3.3.4 does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
PLUGIN
Through 3
CVE-2022-1063
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25064 - Through 3 Plugin
The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection.
PLUGIN
Through 3
CVE-2021-25064
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24899 - Through 3 Plugin
The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_htnl capability is disallowed.
PLUGIN
Through 3
CVE-2021-24899
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24628 - Through 3 Plugin
The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection
PLUGIN
Through 3
CVE-2021-24628
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24537 - Through 3 Plugin
The Similar Posts WordPress plugin through 3.1.5 allow high privilege users to execute arbitrary PHP code in an hardened environment (ie with DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS and DISALLOW_UNFILTERED_HTML set to true) via the 'widget_rrm_similar_posts_condition' widget setting of the plugin.
PLUGIN
Through 3
CVE-2021-24537
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24611 - Through 3 Plugin
The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack.
PLUGIN
Through 3
CVE-2021-24611
Risk Score