Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-0739 - Before 1 Plugin
The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection
PLUGIN
Before 1
CVE-2022-0739
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0694 - Advanced Booking Calendar Plugin
The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection
PLUGIN
Advanced Booking Calendar
CVE-2022-0694
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0591 - Before 3 Plugin
The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_get AJAX action, leading to SSRF issues exploitable by unauthenticated users
PLUGIN
Before 3
CVE-2022-0591
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0658 - Before 2 Plugin
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
PLUGIN
Before 2
CVE-2022-0658
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0254 - Before 5 Plugin
The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before using them in a SQL statement in the admin dashboard, leading to a SQL injection
PLUGIN
Before 5
CVE-2022-0254
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0169 - Before 1 Plugin
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection
PLUGIN
Before 1
CVE-2022-0169
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25007 - Molie Instructure Canvas Linking Tool Plugin
The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection
PLUGIN
Molie Instructure Canvas Linking Tool
CVE-2021-25007
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25003 - Before 6 Plugin
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE
PLUGIN
Before 6
CVE-2021-25003
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0441 - Before 2 Plugin
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin
PLUGIN
Before 2
CVE-2022-0441
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0434 - Page View Count Plugin
The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids parameter before using it in a SQL statement via a REST endpoint, available to both unauthenticated and authenticated users. As a result, unauthenticated attackers could perform SQL injection attacks
PLUGIN
Page View Count
CVE-2022-0434
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0349 - Before 2 Plugin
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection
PLUGIN
Before 2
CVE-2022-0349
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0412 - Before 1 Plugin
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks
PLUGIN
Before 1
CVE-2022-0412
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25010 - Post Snippets Plugin
The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues
PLUGIN
Post Snippets
CVE-2021-25010
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-25149 - Wp Statistics Plugin
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
PLUGIN
Wp Statistics
CVE-2022-25149
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-25148 - Wp Statistics Plugin
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
PLUGIN
Wp Statistics
CVE-2022-25148
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0651 - Wp Statistics Plugin
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_type parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.
PLUGIN
Wp Statistics
CVE-2022-0651
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24867 - Ap Companion Plugin
Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to avoid any confusion
PLUGIN
Ap Companion
CVE-2021-24867
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0513 - Wp Statistics Plugin
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.
PLUGIN
Wp Statistics
CVE-2022-0513
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25114 - Paid Memberships Pro Plugin
The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection
PLUGIN
Paid Memberships Pro
CVE-2021-25114
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0320 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.
PLUGIN
Essential Addons For Elementor
CVE-2022-0320
Risk Score