Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2021-4096 - Fancy Product Designer Plugin
The Fancy Product Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery via the FPD_Admin_Import class that makes it possible for attackers to upload malicious files that could be used to gain webshell access to a server in versions up to, and including, 4.7.5.
PLUGIN
Fancy Product Designer
CVE-2021-4096
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0993 - Siteground Security Plugin
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on the 2FA back-up code implementation that logs users in upon success. This affects versions up to, and including, 1.2.5.
PLUGIN
Siteground Security
CVE-2022-0993
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1119 - Simple File List Plugin
The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parameter found in the ~/includes/ee-downloader.php file due to missing controls which makes it possible unauthenticated attackers to supply a path to a file that will subsequently be downloaded, in versions up to and including 3.2.7.
PLUGIN
Simple File List
CVE-2022-1119
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1037 - Before 1 Plugin
The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs
PLUGIN
Before 1
CVE-2022-1037
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0661 - Ad Injection Plugin
The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set.
PLUGIN
Ad Injection
CVE-2022-0661
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-23976 - Access Demo Importer Plugin
Cross-Site Request Forgery (CSRF) in Access Demo Importer
PLUGIN
Access Demo Importer
CVE-2022-23976
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0141 - Visual Form Builder Plugin
The Visual Form Builder WordPress plugin before 3.0.8 does not enforce nonce checks which could allow attackers to make a logged in admin or editor delete and restore arbitrary form entries via CSRF attacks
PLUGIN
Visual Form Builder
CVE-2022-0141
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1023 - Before 1 Plugin
The Podcast Importer SecondLine WordPress plugin before 1.3.8 does not sanitise and properly escape some imported data, which could allow SQL injection attacks to be performed by imported a malicious podcast file
PLUGIN
Before 1
CVE-2022-1023
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1008 - Before 3 Plugin
The One Click Demo Import WordPress plugin before 3.1.0 does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
PLUGIN
Before 3
CVE-2022-1008
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0989 - Ns Watermark For Woocommerce Plugin
An unprivileged user could use the functionality of the NS WooCommerce Watermark WordPress plugin through 2.11.3 to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain.
PLUGIN
Ns Watermark For Woocommerce
CVE-2022-0989
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0920 - Salon Booking System Plugin
The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data
PLUGIN
Salon Booking System
CVE-2022-0920
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2022-0828 - Download Manager Plugin
The Download Manager WordPress plugin before 3.2.34 uses the uniqid php function to generate the master key for a download, allowing an attacker to brute force the key with reasonable resources giving direct download access regardless of role based restrictions or password protections set for the download.
PLUGIN
Download Manager
CVE-2022-0828
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1006 - Advanced Booking Calendar Plugin
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks
PLUGIN
Advanced Booking Calendar
CVE-2022-1006
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0887 - Easy Social Icons Plugin
The Easy Social Icons WordPress plugin before 3.1.4 does not sanitize the selected_icons attribute to the cnss_widget before using it in an SQL statement, leading to a SQL injection vulnerability.
PLUGIN
Easy Social Icons
CVE-2022-0887
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0403 - Library File Manager Plugin
The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.
PLUGIN
Library File Manager
CVE-2022-0403
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0709 - Booking Package Plugin
The Booking Package WordPress plugin before 1.5.29 requires a token for exporting the ical representation of it's booking calendar, but this token is returned in the json response to unauthenticated users performing a booking, leading to a sensitive data disclosure vulnerability.
PLUGIN
Booking Package
CVE-2022-0709
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0537 - Mappress Maps For Plugin
The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write…
PLUGIN
Mappress Maps For
CVE-2022-0537
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0770 - Translate Wordpress With Gtranslate Plugin
The Translate WordPress with GTranslate WordPress plugin before 2.9.9 does not have CSRF check in some files, and write debug data such as user's cookies in a publicly accessible file if a specific parameter is used when requesting them. Combining those two issues, an attacker could gain access to a logged in admin cookies by making them open a malicious link or page
PLUGIN
Translate Wordpress With Gtranslate
CVE-2022-0770
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0499 - Sermon Browser Plugin
The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.
PLUGIN
Sermon Browser
CVE-2022-0499
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24962 - Wordpress File Upload Plugin
The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution.
PLUGIN
Wordpress File Upload
CVE-2021-24962
Risk Score