Total
7170 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2024-11-21 | 4.3 Medium |
| The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. | ||||
| CVE-2022-2381 | 1 E Unlocked - Student Result Project | 1 E Unlocked - Student Result | 2024-11-21 | 8.8 High |
| The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack | ||||
| CVE-2022-2377 | 1 Wpwax | 1 Directorist | 2024-11-21 | 4.3 Medium |
| The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog | ||||
| CVE-2022-2375 | 1 Okapitech | 1 Wp Sticky Button | 2024-11-21 | 5.4 Medium |
| The WP Sticky Button WordPress plugin before 1.4.1 does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues | ||||
| CVE-2022-2355 | 1 Easy Username Updater Project | 1 Easy Username Updater | 2024-11-21 | 6.5 Medium |
| The Easy Username Updater WordPress plugin before 1.0.5 does not implement CSRF checks, which could allow attackers to make a logged in admin change any user's username includes the admin | ||||
| CVE-2022-2353 | 1 Microweber | 1 Microweber | 2024-11-21 | 6.1 Medium |
| Prior to microweber/microweber v1.2.20, due to improper neutralization of input, an attacker can steal tokens to perform cross-site request forgery, fetch contents from same-site and redirect a user. | ||||
| CVE-2022-2350 | 1 Brainvire | 1 Disable User Login | 2024-11-21 | 5.3 Medium |
| The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will. | ||||
| CVE-2022-2312 | 1 Student Result Or Employee Database Project | 1 Student Result Or Employee Database | 2024-11-21 | 5.4 Medium |
| The Student Result or Employee Database WordPress plugin before 1.7.5 does not have CSRF in its AJAX actions, allowing attackers to make logged in user with a role as low as contributor to add/edit and delete students via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site scripting | ||||
| CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2024-11-21 | 4.3 Medium |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | ||||
| CVE-2022-2275 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2024-11-21 | 4.3 Medium |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack | ||||
| CVE-2022-2260 | 1 Givewp | 1 Givewp | 2024-11-21 | 6.5 Medium |
| The GiveWP WordPress plugin before 2.21.3 does not have CSRF in place when exporting data, and does not validate the exporting parameters such as dates, which could allow attackers to make a logged in admin DoS the web server via a CSRF attack as the plugin will try to retrieve data from the database many times which leads to overwhelm the target's CPU. | ||||
| CVE-2022-2245 | 1 Wow-company | 1 Counter Box | 2024-11-21 | 8.8 High |
| The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks | ||||
| CVE-2022-2233 | 1 Banner Cycler Project | 1 Banner Cycler | 2024-11-21 | 8.8 High |
| The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the pabc_admin_slides_postback() function found in the ~/admin/admin.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link | ||||
| CVE-2022-2223 | 1 Ghozylab | 1 Image Slider | 2024-11-21 | 5.4 Medium |
| The WordPress plugin Image Slider is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1.121 due to failure to properly check for the existence of a nonce in the function ewic_duplicate_slider. This make it possible for unauthenticated attackers to duplicate existing posts or pages granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-2184 | 1 Wpwhitesecurity | 1 Captcha 4wp | 2024-11-21 | 8.8 High |
| The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server. | ||||
| CVE-2022-2172 | 1 Linkworth | 1 Linkworth | 2024-11-21 | 4.3 Medium |
| The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. | ||||
| CVE-2022-2171 | 1 Crowdfavorite | 1 Progressive License | 2024-11-21 | 5.4 Medium |
| The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well. | ||||
| CVE-2022-2146 | 1 Import Csv Files Project | 1 Import Csv Files | 2024-11-21 | 6.1 Medium |
| The Import CSV Files WordPress plugin through 1.0 does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting | ||||
| CVE-2022-2144 | 1 Jquery Validation For Contact Form 7 Project | 1 Jquery Validation For Contact Form 7 | 2024-11-21 | 4.3 Medium |
| The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like default_role, users_can_register via a CSRF attack | ||||
| CVE-2022-2123 | 1 Wp Opt-in Project | 1 Wp Opt-in | 2024-11-21 | 4.3 Medium |
| The WP Opt-in WordPress plugin through 1.4.1 is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails. | ||||