‼ CVE-2022-4142 ‼
📖 Read
via "National Vulnerability Database".
The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does not properly escape the filters passed in the ufg_gallery_filters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the plugin settings page, even when the unfiltered_html capability is disabled.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4417 ‼
📖 Read
via "National Vulnerability Database".
The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 9.3.3 does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4099 ‼
📖 Read
via "National Vulnerability Database".
The Joy Of Text Lite WordPress plugin before 2.3.1 does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenticated SQL injection📖 Read
via "National Vulnerability Database".
‼ CVE-2015-10011 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in OpenDNS OpenResolve. This affects an unknown part of the file resolverapi/endpoints.py. The manipulation leads to improper output neutralization for logs. The name of the patch is 9eba6ba5abd89d0e36a008921eb307fcef8c5311. It is recommended to apply a patch to fix this issue. The identifier VDB-217197 was assigned to this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4371 ‼
📖 Read
via "National Vulnerability Database".
The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users such as admin by default. However, depending on the plugin configuration, other users, such as subscriber could exploit this as well📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4373 ‼
📖 Read
via "National Vulnerability Database".
The Quote-O-Matic WordPress plugin through 1.0.5 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4236 ‼
📖 Read
via "National Vulnerability Database".
The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4355 ‼
📖 Read
via "National Vulnerability Database".
The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4352 ‼
📖 Read
via "National Vulnerability Database".
The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4358 ‼
📖 Read
via "National Vulnerability Database".
The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin📖 Read
via "National Vulnerability Database".
‼ CVE-2022-3911 ‼
📖 Read
via "National Vulnerability Database".
The iubenda | All-in-one Compliance for GDPR / CCPA Cookie Consent + more WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4351 ‼
📖 Read
via "National Vulnerability Database".
The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4340 ‼
📖 Read
via "National Vulnerability Database".
The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4057 ‼
📖 Read
via "National Vulnerability Database".
The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs.📖 Read
via "National Vulnerability Database".
‼ CVE-2015-10010 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in OpenDNS OpenResolve. It has been rated as problematic. Affected by this issue is the function get of the file resolverapi/endpoints.py of the component API. The manipulation leads to cross site scripting. The attack may be launched remotely. The name of the patch is c680170d5583cd9342fe1af43001fe8b2b8004dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217196.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4302 ‼
📖 Read
via "National Vulnerability Database".
The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4357 ‼
📖 Read
via "National Vulnerability Database".
The LetsRecover WordPress plugin through 1.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4256 ‼
📖 Read
via "National Vulnerability Database".
The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4200 ‼
📖 Read
via "National Vulnerability Database".
The Login with Cognito WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4260 ‼
📖 Read
via "National Vulnerability Database".
The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).📖 Read
via "National Vulnerability Database".
‼ CVE-2022-4059 ‼
📖 Read
via "National Vulnerability Database".
The Cryptocurrency Widgets Pack WordPress plugin through 1.8.1 does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.📖 Read
via "National Vulnerability Database".