Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1906 | 1 Digiprove | 1 Copyright Proof | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Copyright Proof WordPress plugin through 4.16 does not sanitise and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting when a specific setting is enabled.
|
|||||
| CVE-2022-1904 | 1 Fatcatapps | 1 Easy Pricing Tables | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
|
The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape parameter before outputting it back in a page available to any user (both authenticated and unauthenticated) when a specific setting is enabled, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-1896 | 1 Underconstruction Project | 1 Underconstruction | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The underConstruction WordPress plugin before 1.21 does not sanitise or escape the "Display a custom page using your own HTML" setting before outputting it, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiletred_html capability is disallowed.
|
|||||
| CVE-2022-1894 | 1 Sygnoos | 1 Popup Builder | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Popup Builder WordPress plugin before 4.1.11 does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is disallowed
|
|||||
| CVE-2022-1889 | 1 Thenewsletterplugin | 1 Newsletter | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed
|
|||||
| CVE-2022-1840 | 1 Home Clean Services Management System Project | 1 Home Clean Services Management System | 2024-11-21 | 3.5 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, has been found in Home Clean Services Management System 1.0. This issue affects register.php?link=registerand. The manipulation with the input <script>alert(1)</script> leads to cross site scripting. The attack may be initiated remotely but demands authentication. Exploit details have been disclosed to the public.
|
|||||
| CVE-2022-1825 | 1 Collectiveaccess | 1 Providence | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Reflected in GitHub repository collectiveaccess/providence prior to 1.8.
|
|||||
| CVE-2022-1819 | 1 Student Information System Project | 1 Student Information System | 2024-11-21 | 3.5 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in Student Information System 1.0. Affected is admin/?page=students of the Student Roll module. The manipulation with the input <script>alert(1)</script> leads to authenticated cross site scripting. Exploit details have been disclosed to the public.
|
|||||
| CVE-2022-1817 | 1 Badminton Center Management System Project | 1 Badminton Center Management System | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in Badminton Center Management System. This affects the userlist module at /bcms/admin/?page=user/list. The manipulation of the argument username with the input </td><img src="" onerror="alert(1)"><td>1 leads to an authenticated cross site scripting. Exploit details have been disclosed to the public.
|
|||||
| CVE-2022-1816 | 1 Phpgurukul | 1 Zoo Management System | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in Zoo Management System 1.0. Affected by this issue is /zoo/admin/public_html/view_accounts?type=zookeeper of the content module. The manipulation of the argument admin_name with the input <script>alert(1)</script> leads to an authenticated cross site scripting. Exploit details have been disclosed to the public.
|
|||||
| CVE-2022-1814 | 1 Wp Admin Style Project | 1 Wp Admin Style | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP Admin Style WordPress plugin through 0.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1806 | 1 Rtx Project | 1 Rtx | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site Scripting (XSS) - Reflected in GitHub repository rtxteam/rtx prior to checkpoint_2022-05-18.
|
|||||
| CVE-2022-1782 | 1 Erudika | 1 Para | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para prior to v1.45.11.
|
|||||
| CVE-2022-1776 | 1 Icegram | 1 Popups\, Welcome Bar\, Optins And Lead Generation Plugin | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.1.8 does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2022-1773 | 1 Wp Athletics Project | 1 Wp Athletics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Athletics WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-1772 | 1 Google Places Reviews Project | 1 Google Places Reviews | 2024-11-21 | 2.1 LOW | 4.8 MEDIUM |
|
The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.
|
|||||
| CVE-2022-1757 | 1 Pagebar Project | 1 Pagebar | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The pagebar WordPress plugin before 2.70 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Furthermore, due to the lack of sanitisation in some of them, it could also lead to Stored XSS issues
|
|||||
| CVE-2022-1756 | 1 Thenewsletterplugin | 1 Newsletter | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.
|
|||||
| CVE-2022-1730 | 1 Diagrams | 1 Drawio | 2024-11-21 | 3.5 LOW | 4.6 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.
|
|||||
| CVE-2022-1726 | 1 Bootstrap-table | 1 Bootstrap Table | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Bootstrap Tables XSS vulnerability with Table Export plug-in when exportOptions: htmlContent is true in GitHub repository wenzhixin/bootstrap-table prior to 1.20.2. Disclosing session cookies, disclosing secure session data, exfiltrating data to third-parties.
|
|||||
| CVE-2022-1724 | 1 Simple-membership-plugin | 1 Simple Membership | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting
|
|||||
| CVE-2022-1719 | 1 Trudesk Project | 1 Trudesk | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Reflected XSS on ticket filter function in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability is capable of executing a malicious javascript code in web page
|
|||||
| CVE-2022-1717 | 1 Wp-experts | 1 Custom Share Buttons With Floating Sidebar | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Custom Share Buttons with Floating Sidebar WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1710 | 1 Dwbooster | 1 Appointment Hour Booking | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Appointment Hour Booking WordPress plugin before 1.3.56 does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
|
|||||
| CVE-2022-1682 | 1 Facturascripts | 1 Facturascripts | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser
|
|||||
| CVE-2022-1673 | 1 Greenwallet | 1 Woocommerce Green Wallet Gateway | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WooCommerce Green Wallet Gateway WordPress plugin before 1.0.2 does not escape the error_envision query parameter before outputting it to the page, leading to a Reflected Cross-Site Scripting vulnerability.
|
|||||
| CVE-2022-1647 | 1 Ncrafts | 1 Formcraft | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The FormCraft WordPress plugin before 1.2.6 does not sanitise and escape Field Labels, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2022-1646 | 1 Simple Real Estate Pack Project | 1 Simple Real Estate Pack | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Simple Real Estate Pack WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1645 | 1 Amazon Link Project | 1 Amazon Link | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Amazon Link WordPress plugin through 3.2.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
|
|||||
| CVE-2022-1644 | 1 Call\&book Mobile Bar Project | 1 Call\&book Mobile Bar | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Call&Book Mobile Bar WordPress plugin through 1.2.2 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
|
|||||
| CVE-2022-1643 | 1 Birthdays Widget Project | 1 Birthdays Widget | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Birthdays Widget WordPress plugin through 1.7.18 does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1628 | 1 Coleds | 1 Simple Seo | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Simple SEO plugin for WordPress is vulnerable to attribute-based stored Cross-Site Scripting in versions up to, and including 1.7.91, due to insufficient sanitization or escaping on the SEO social and standard title parameters. This can be exploited by authenticated users with Contributor and above permissions to inject arbitrary web scripts into posts/pages that execute whenever an administrator access the page.
|
|||||
| CVE-2022-1604 | 1 Mailerlite | 1 Mailerlite Signup Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The MailerLite WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-1597 | 1 2code | 1 Wpqa Builder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks
|
|||||
| CVE-2022-1593 | 1 Site Offline Or Coming Soon Project | 1 Site Offline Or Coming Soon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Site Offline or Coming Soon WordPress plugin through 1.6.6 does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. As a result, attackers could make a logged in admin change them and put Cross-Site Scripting payloads in them via a CSRF attack
|
|||||
| CVE-2022-1590 | 1 Bludit | 1 Bludit | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
A vulnerability was found in Bludit 3.13.1. It has been declared as problematic. This vulnerability affects the endpoint /admin/new-content of the New Content module. The manipulation of the argument content with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-1584 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim
|
|||||
| CVE-2022-1582 | 1 Webfactoryltd | 1 External Links In New Window \/ New Tab | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible.
|
|||||
| CVE-2022-1575 | 1 Diagrams | 1 Drawio | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.
|
|||||
| CVE-2022-1571 | 1 Facturascripts | 1 Facturascripts | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ...
|
|||||