Total
210374 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3855 | 1 404 To Start Project | 1 404 To Start | 2023-01-12 | N/A | 4.8 MEDIUM |
| The 404 to Start WordPress plugin through 1.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-4392 | 1 Ipanorama 360 Wordpress Virtual Tour Builder Project | 1 Ipanorama 360 Wordpress Virtual Tour Builder | 2023-01-12 | N/A | 5.4 MEDIUM |
| The iPanorama 360 WordPress Virtual Tour Builder plugin through 1.6.29 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-4391 | 1 Vision Interactive Project | 1 Vision Interactive | 2023-01-12 | N/A | 5.4 MEDIUM |
| The Vision Interactive For WordPress plugin through 1.5.3 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2023-0125 | 1 Control Id Panel Project | 1 Control Id Panel | 2023-01-12 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Control iD Panel. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Web Interface. The manipulation of the argument Nome leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-217717 was assigned to this vulnerability. | |||||
| CVE-2022-3679 | 1 Kadencewp | 1 Starter Templates | 2023-01-12 | N/A | 8.8 HIGH |
| The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | |||||
| CVE-2014-125072 | 1 Klattr Project | 1 Klattr | 2023-01-12 | N/A | 7.8 HIGH |
| A vulnerability classified as critical has been found in CherishSin klattr. This affects an unknown part. The manipulation leads to sql injection. The name of the patch is f8e4ecfbb83aef577011b0b4aebe96fb6ec557f1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217719. | |||||
| CVE-2022-4374 | 1 Bg Bible References Project | 1 Bg Bible References | 2023-01-12 | N/A | 6.1 MEDIUM |
| The Bg Bible References WordPress plugin through 3.8.14 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-4368 | 1 Cpkwebsolutions | 1 Wp Csv | 2023-01-12 | N/A | 6.1 MEDIUM |
| The WP CSV WordPress plugin through 1.8.0.0 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, and doe snot have CSRF checks in place as well, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-3417 | 1 Bravenewcode | 1 Wptouch | 2023-01-12 | N/A | 8.8 HIGH |
| The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog. | |||||
| CVE-2022-3416 | 1 Bravenewcode | 1 Wptouch | 2023-01-12 | N/A | 7.2 HIGH |
| The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) | |||||
| CVE-2022-4325 | 1 Ifeelweb | 1 Post Status Notifier Lite | 2023-01-12 | N/A | 6.1 MEDIUM |
| The Post Status Notifier Lite WordPress plugin before 1.10.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high privilege users such as admin. | |||||
| CVE-2022-4301 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2023-01-12 | N/A | 6.1 MEDIUM |
| The Sunshine Photo Cart WordPress plugin before 2.9.15 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2022-4393 | 1 Imagelinks Interactive Image Builder Project | 1 Imagelinks Interactive Image Builder | 2023-01-12 | N/A | 5.4 MEDIUM |
| The ImageLinks Interactive Image Builder for WordPress plugin through 1.5.3 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-4196 | 1 Mondula | 1 Multi Step Form | 2023-01-12 | N/A | 4.8 MEDIUM |
| The Multi Step Form WordPress plugin before 1.7.8 does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-4043 | 1 Wp Custom Admin Interface Project | 1 Wp Custom Admin Interface | 2023-01-12 | N/A | 7.2 HIGH |
| The WP Custom Admin Interface WordPress plugin before 7.29 unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. | |||||
| CVE-2022-46603 | 1 Inkdrop | 1 Inkdrop | 2023-01-12 | N/A | 6.1 MEDIUM |
| An issue in Inkdrop v5.4.1 allows attackers to execute arbitrary commands via uploading a crafted markdown file. | |||||
| CVE-2022-4394 | 1 Ipages Flipbook Project | 1 Ipages Flipbook | 2023-01-12 | N/A | 5.4 MEDIUM |
| The iPages Flipbook For WordPress plugin through 1.4.6 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2022-4310 | 1 Wp-slimstat | 1 Slimstat Analytics | 2023-01-12 | N/A | 6.1 MEDIUM |
| The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs | |||||
| CVE-2022-4429 | 1 Avira | 1 Avira Security | 2023-01-12 | N/A | 4.4 MEDIUM |
| Avira Security for Windows contains an unquoted service path which allows attackers with local administrative privileges to cause a Denial of Service. The issue was fixed with Avira Security version 1.1.78 | |||||
| CVE-2022-4497 | 1 Automattic | 1 Jetpack Crm | 2023-01-12 | N/A | 5.4 MEDIUM |
| The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins | |||||