Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1091 | 1 10up | 1 Safe Svg | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).
|
|||||
| CVE-2022-1090 | 1 Good-bad-comments Project | 1 Good-bad-comments | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Good & Bad Comments WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1089 | 1 Wpsheeteditor | 1 Bulk Edit And Create User Profiles - Wp Sheet Editor | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1088 | 1 Contextureintl | 1 Page Security \& Membership | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Page Security & Membership WordPress plugin through 1.5.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1087 | 1 Htmly | 1 Htmly | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in htmly 5.3 whis affects the component Edit Profile Module. The manipulation of the field Title with script tags leads to persistent cross site scripting. The attack may be initiated remotely and requires an authentication. A simple POC has been disclosed to the public and may be used.
|
|||||
| CVE-2022-1086 | 1 Dolphinphp Project | 1 Dolphinphp | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
A vulnerability was found in DolphinPHP up to 1.5.0 and classified as problematic. Affected by this issue is the User Management Page. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-1085 | 1 Cltphp | 1 Cltphp | 2024-11-21 | 4.3 MEDIUM | 3.5 LOW |
|
A vulnerability was found in CLTPHP up to 6.0. It has been declared as problematic. Affected by this vulnerability is the POST Parameter Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2022-1081 | 1 Microfinance Management System Project | 1 Microfinance Management System | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in SourceCodester Microfinance Management System 1.0. It has been declared as problematic. This vulnerability affects the file /mims/app/addcustomerHandler.php. The manipulation of the argument first_name, middle_name, and surname leads to cross site scripting. The attack can be initiated remotely.
|
|||||
| CVE-2022-1079 | 1 One Church Management System Project | 1 One Church Management System | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in SourceCodester One Church Management System. Affected are multiple files and parameters which are prone to to cross site scripting. It is possible to launch the attack remotely.
|
|||||
| CVE-2022-1076 | 1 Automatic Question Paper Generator System Project | 1 Automatic Question Paper Generator System | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Automatic Question Paper Generator System 1.0. It has been classified as problematic. This affects the file /aqpg/users/login.php of the component My Account Page. The manipulation of the argument First Name/Middle Name/Last Name leads to cross site scripting. It is possible to initiate the attack remotely.
|
|||||
| CVE-2022-1075 | 1 College Website Management System Project | 1 College Website Management System | 2024-11-21 | 3.5 LOW | 3.5 LOW |
|
A vulnerability was found in College Website Management System 1.0 and classified as problematic. Affected by this issue is the file /cwms/classes/Master.php?f=save_contact of the component Contact Handler. The manipulation leads to persistent cross site scripting. The attack may be launched remotely and requires authentication.
|
|||||
| CVE-2022-1074 | 1 Tem | 2 Flex-1085, Flex-1085 Firmware | 2024-11-21 | 3.5 LOW | 4.3 MEDIUM |
|
A vulnerability has been found in TEM FLEX-1085 1.6.0 and classified as problematic. Using the input <h1>HTML Injection</h1> in the WiFi settings of the dashboard leads to html injection.
|
|||||
| CVE-2022-1063 | 1 Thank Me Later Project | 1 Thank Me Later | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Thank Me Later WordPress plugin through 3.3.4 does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1062 | 1 Th23 | 1 Th23 Social | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The th23 Social WordPress plugin through 1.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1051 | 1 2code | 1 Wpqa Builder | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2022-1047 | 1 Themify | 1 Post Type Builder Search Addon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability.
|
|||||
| CVE-2022-1046 | 1 Vfbpro | 1 Visual Form Builder | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-1029 | 1 Miniorange | 1 Limit Login Attempts | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-1028 | 1 Miniorange | 1 Wordpress Security | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-1027 | 1 Minioragne | 1 Page Restriction | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
|
|||||
| CVE-2022-1022 | 1 Chatwoot | 1 Chatwoot | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0.
|
|||||
| CVE-2022-1021 | 1 Chatwoot | 1 Chatwoot | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Insecure Storage of Sensitive Information in GitHub repository chatwoot/chatwoot prior to 2.6.0.
|
|||||
| CVE-2022-1010 | 1 Miniorange | 1 Login Using Wordpress Users | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-1009 | 1 Wpmudev | 1 Smush Image Compression And Optimization | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file
|
|||||
| CVE-2022-1007 | 1 Elbtide | 1 Advanced Booking Calendar | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2022-1005 | 1 Veronalabs | 1 Wp Statistics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters
|
|||||
| CVE-2022-1002 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 3.5 LOW | 2.0 LOW |
|
Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations.
|
|||||
| CVE-2022-1001 | 1 Wp Downgrade Project | 1 Wp Downgrade | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP Downgrade WordPress plugin before 1.2.3 only perform client side validation of its "WordPress Target Version" settings, but does not sanitise and escape it server side, allowing high privilege users such as admin to perform Cross-Site attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-0994 | 1 Incsub | 1 Hummingbird | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2022-0986 | 1 Hestiacp | 1 Control Panel | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.
|
|||||
| CVE-2022-0970 | 1 Getgrav | 1 Grav | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in GitHub repository getgrav/grav prior to 1.7.31.
|
|||||
| CVE-2022-0969 | 1 Vertistudio | 1 Image Optimization \& Lazy Load By Optimole | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2022-0967 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.10.4.
|
|||||
| CVE-2022-0966 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Stored XSS via File Upload in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.4.10.
|
|||||
| CVE-2022-0965 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Stored XSS viva .ofd file upload in GitHub repository star7th/showdoc prior to 2.10.4.
|
|||||
| CVE-2022-0964 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Stored XSS viva .webmv file upload in GitHub repository star7th/showdoc prior to 2.10.4.
|
|||||
| CVE-2022-0963 | 1 Microweber | 1 Microweber | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Unrestricted XML Files Leads to Stored XSS in GitHub repository microweber/microweber prior to 1.2.12.
|
|||||
| CVE-2022-0962 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Stored XSS viva .webma file upload in GitHub repository star7th/showdoc prior to 2.10.4.
|
|||||
| CVE-2022-0960 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.
|
|||||
| CVE-2022-0958 | 1 Mark Posts Project | 1 Mark Posts | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Mark Posts WordPress plugin before 2.0.1 does not escape new markers, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||