Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0472 | 1 Laracom Project | 1 Laracom | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Unrestricted Upload of File with Dangerous Type in Packagist jsdecena/laracom prior to v2.0.9.
|
|||||
| CVE-2022-0471 | 1 Realfavicongenerator | 1 Favicon By Realfavicongenerator | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Favicon by RealFaviconGenerator WordPress plugin before 1.3.23 does not properly sanitise and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2022-0449 | 1 Odude | 1 Flexi | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Flexi WordPress plugin before 4.20 does not sanitise and escape various parameters before outputting them back in some pages such as the user dashboard, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-0448 | 1 Dwbooster | 1 Cp Blocks | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
|
|||||
| CVE-2022-0447 | 1 Pickplugins | 1 Post Grid | 2024-11-21 | 3.5 LOW | 6.4 MEDIUM |
|
The Post Grid WordPress plugin before 2.1.16 does not sanitise and escape the post_types parameter before outputting it back in the response of the post_grid_update_taxonomies_terms_by_posttypes AJAX action, available to any authenticated users, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-0446 | 1 Simple Banner Project | 1 Simple Banner | 2024-11-21 | N/A | 4.8 MEDIUM |
|
The Simple Banner WordPress plugin before 2.12.0 does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2022-0437 | 1 Karma Project | 1 Karma | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.
|
|||||
| CVE-2022-0431 | 1 Insights From Google Pagespeed Project | 1 Insights From Google Pagespeed | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Insights from Google PageSpeed WordPress plugin before 4.0.4 does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting
|
|||||
| CVE-2022-0429 | 1 Cerber | 1 Wp Cerber Security\, Anti-spam \& Malware Scan | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability.
|
|||||
| CVE-2022-0428 | 1 Keywordrush | 1 Content Egg | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Content Egg WordPress plugin before 5.3.0 does not sanitise and escape the page parameter before outputting back in an attribute in the Autoblogging admin dashboard, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-0426 | 1 Adtribes | 1 Product Feed Pro For Woocommerce | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-0423 | 1 3dflipbook | 1 3d Flipbook | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The 3D FlipBook WordPress plugin before 1.12.1 does not have authorisation and CSRF checks when updating its settings, and does not have any sanitisation/escaping, allowing any authenticated users, such as subscriber to put Cross-Site Scripting payloads in all pages with a 3d flipbook.
|
|||||
| CVE-2022-0422 | 1 Videousermanuals | 1 White Label Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2022-0418 | 1 Event List Project | 1 Event List | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed
|
|||||
| CVE-2022-0399 | 1 Berocket | 1 Advanced Product Labels For Woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Advanced Product Labels for WooCommerce WordPress plugin before 1.2.3.7 does not sanitise and escape the tax_color_set_type parameter before outputting it back in the berocket_apl_color_listener AJAX action's response, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-0397 | 1 Wpclever | 1 Wpc Smart Wishlist For Woocommerce | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.4 does not sanitise and escape the key parameter before outputting it back in the wishlist_quickview AJAX action's response (available to any authenticated user), leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-0395 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
|
|||||
| CVE-2022-0394 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
|
|||||
| CVE-2022-0389 | 1 Codepeople | 1 Wp Time Slots Booking Form | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2022-0388 | 1 Humananatomyillustrations | 1 Interactive Medical Drawing Of Human Body | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Interactive Medical Drawing of Human Body WordPress plugin before 2.6 does not sanitise and escape the Link field, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2022-0387 | 1 Livehelperchat | 1 Livehelperchat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
|
|||||
| CVE-2022-0385 | 1 Crazy Bone Project | 1 Crazy Bone | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Crazy Bone WordPress plugin through 0.6.0 does not sanitise and escape the username submitted via the login from when displaying them back in the log dashboard, leading to an unauthenticated Stored Cross-Site scripting
|
|||||
| CVE-2022-0381 | 1 Embed Swagger Project | 1 Embed Swagger | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping/sanitization and validation via the url parameter found in the ~/swagger-iframe.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 1.0.0.
|
|||||
| CVE-2022-0380 | 1 Fotobook Project | 1 Fotobook | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Fotobook WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping and the use of $_SERVER['PHP_SELF'] found in the ~/options-fotobook.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 3.2.3.
|
|||||
| CVE-2022-0379 | 1 Microweber | 1 Microweber | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.
|
|||||
| CVE-2022-0378 | 1 Microweber | 1 Microweber | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.
|
|||||
| CVE-2022-0376 | 1 User-meta | 1 User Meta User Profile Builder And User Management | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2022-0375 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
|
|||||
| CVE-2022-0374 | 1 Livehelperchat | 1 Live Helper Chat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
|
|||||
| CVE-2022-0372 | 1 Craterapp | 1 Crater | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist bytefury/crater prior to 6.0.2.
|
|||||
| CVE-2022-0370 | 1 Livehelperchat | 1 Livehelperchat | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
|
|||||
| CVE-2022-0364 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Modern Events Calendar Lite WordPress plugin before 6.4.0 does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2022-0360 | 1 Smackcoders | 1 Import All Pages\, Post Types\, Products\, Orders\, And Users As Xml \& Csv | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2022-0352 | 1 Janeczku | 1 Calibre-web | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site Scripting (XSS) - Reflected in Pypi calibreweb prior to 0.6.16.
|
|||||
| CVE-2022-0350 | 1 B3log | 1 Vditor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.13.
|
|||||
| CVE-2022-0348 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore prior to 10.2.
|
|||||
| CVE-2022-0347 | 1 Wpbrigade | 1 Loginpress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The LoginPress | Custom Login Page Customizer WordPress plugin before 1.5.12 does not escape the redirect-page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-0346 | 1 Xmlsitemapgenerator | 1 Xml Sitemap Generator | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
|
|||||
| CVE-2022-0341 | 1 B3log | 1 Vditor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.12.
|
|||||
| CVE-2022-0327 | 1 Jeweltheme | 1 Master Addons For Elementor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Master Addons for Elementor WordPress plugin before 1.8.5 does not sanitise and escape the error_message parameter before outputting it back in the response of the jltma_restrict_content AJAX action, available to unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting
|
|||||