Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-06
CVE-2022-3374 - Before 2 Plugin
The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog.
PLUGIN
Before 2
CVE-2022-3374
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3366 - Publishpress Capabilities Plugin
The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site.
PLUGIN
Publishpress Capabilities
CVE-2022-3366
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3334 - Easy Wp Smtp Plugin
The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
PLUGIN
Easy Wp Smtp
CVE-2022-3334
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3401 - Bricks Theme
The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.
THEME
Bricks
CVE-2022-3401
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2864 - Demon Image Annotation Plugin
The demon image annotation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7. This is due to missing nonce validation in the ~/includes/settings.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Demon Image Annotation
CVE-2022-2864
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-41996 - Avada Plugin
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada premium theme versions
PLUGIN
Avada
CVE-2022-41996
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-3395 - Wp All Export Pro Plugin
The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well.
PLUGIN
Wp All Export Pro
CVE-2022-3395
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-3394 - Wp All Export Pro Plugin
The WP All Export Pro WordPress plugin before 1.7.9 does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be delegated to lower privileged users.
PLUGIN
Wp All Export Pro
CVE-2022-3394
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2022-3335 - Kadence Woocommerce Email Designer Plugin
The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
PLUGIN
Kadence Woocommerce Email Designer
CVE-2022-3335
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-3246 - Before 6 Plugin
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers
PLUGIN
Before 6
CVE-2022-3246
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2022-3302 - Firewall By Cleantalk Plugin
The Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.185.1 does not validate ids before using them in a SQL statement, which could lead to SQL injection exploitable by high privilege users such as admin
PLUGIN
Firewall By Cleantalk
CVE-2022-3302
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2022-3300 - Form Maker By 10web Plugin
The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
PLUGIN
Form Maker By 10web
CVE-2022-3300
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-38104 - Accordions Or Faqs Plugin
Auth. WordPress Options Change (siteurl, users_can_register, default_role, admin_email and new_admin_email) vulnerability in Biplob Adhikari's Accordions – Multiple Accordions or FAQs Builder plugin (versions
PLUGIN
Accordions Or Faqs
CVE-2022-38104
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2022-3243 - Before 6 Plugin
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not properly sanitise and escape imported data before using them back SQL statements, leading to SQL injection exploitable by high privilege users such as admin
PLUGIN
Before 6
CVE-2022-3243
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2022-3150 - Before 3 Plugin
The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin
PLUGIN
Before 3
CVE-2022-3150
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2022-3131 - Search Logger Plugin
The Search Logger WordPress plugin through 0.9 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users
PLUGIN
Search Logger
CVE-2022-3131
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-41623 - Dropshipping And Fulfillment For Aliexpress And Woocommerce Plugin
Sensitive Data Exposure in Villatheme ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin
PLUGIN
Dropshipping And Fulfillment For Aliexpress And Woocommerce
CVE-2022-41623
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-36913 - Redirection For Contact Form 7 Plugin
Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin
PLUGIN
Redirection For Contact Form 7
CVE-2021-36913
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3154 - Gravity Forms Plugin
The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license
PLUGIN
Gravity Forms
CVE-2022-3154
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3125 - Frontend File Manager Plugin
The Frontend File Manager Plugin WordPress plugin before 21.3 allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE
PLUGIN
Frontend File Manager
CVE-2022-3125
Risk Score