Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2022-29429 - Code Snippets Extended Plugin
Remote Code Execution (RCE) in Alexander Stokmann's Code Snippets Extended plugin
PLUGIN
Code Snippets Extended
CVE-2022-29429
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1409 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.5.8 does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code
PLUGIN
Before 1
CVE-2022-1409
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1182 - Visual Slide Box Builder Plugin
The Visual Slide Box Builder WordPress plugin through 3.2.9 does not sanitise and escape various parameters before using them in SQL statements via some of its AJAX actions available to any authenticated users (such as subscriber), leading to SQL Injections
PLUGIN
Visual Slide Box Builder
CVE-2022-1182
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1103 - Advanced Uploader Plugin
The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE
PLUGIN
Advanced Uploader
CVE-2022-1103
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25119 - Automatic Grid Image Listing Plugin
The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE
PLUGIN
Automatic Grid Image Listing
CVE-2021-25119
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1463 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site.
PLUGIN
Booking Calendar
CVE-2022-1463
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-1442 - Metform Elementor Contact Form Builder Plugin
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.
PLUGIN
Metform Elementor Contact Form Builder
CVE-2022-1442
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1273 - Before 2 Plugin
The Import WP WordPress plugin before 2.4.6 does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE
PLUGIN
Before 2
CVE-2022-1273
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1239 - Before 8 Plugin
The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks
PLUGIN
Before 8
CVE-2022-1239
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0952 - Sitemap By Click5 Plugin
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
PLUGIN
Sitemap By Click5
CVE-2022-0952
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-25002 - Before 1 Plugin
The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL
PLUGIN
Before 1
CVE-2021-25002
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-29451 - Rara One Click Demo Import Plugin
Cross-Site Request Forgery (CSRF) leading to Arbitrary File Upload vulnerability in Rara One Click Demo Import plugin
PLUGIN
Rara One Click Demo Import
CVE-2022-29451
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-29411 - Hermit Plugin
SQL Injection (SQLi) vulnerability in Mufeng's Hermit 音乐播放器 plugin
PLUGIN
Hermit
CVE-2022-29411
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-29410 - Hermit Plugin
Authenticated SQL Injection (SQLi) vulnerability in Mufeng's Hermit 音乐播放器 plugin
PLUGIN
Hermit
CVE-2022-29410
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1392 - Videos Sync Pdf Plugin
The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues
PLUGIN
Videos Sync Pdf
CVE-2022-1392
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24957 - Advanced Page Visit Counter Plugin
The Advanced Page Visit Counter WordPress plugin before 6.1.6 does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injection
PLUGIN
Advanced Page Visit Counter
CVE-2021-24957
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4225 - Document Manager Plugin
The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.
PLUGIN
Document Manager
CVE-2021-4225
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2021-25094 - Before 3 Plugin
The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
PLUGIN
Before 3
CVE-2021-25094
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0656 - Before 3 Plugin
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
PLUGIN
Before 3
CVE-2022-0656
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1329 - Website Builder Plugin
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
PLUGIN
Website Builder
CVE-2022-1329
Risk Score