Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24685 | 1 Flat Preloader Project | 1 Flat Preloader | 2022-11-09 | 5.0 MEDIUM | 5.4 MEDIUM |
| The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload) | |||||
| CVE-2021-24570 | 1 Wpplugin | 1 Accept Donations With Paypal | 2022-11-09 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well. | |||||
| CVE-2021-24543 | 1 Jquery-reply-to-comment Project | 1 Jquery-reply-to-comment | 2022-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24730 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2022-11-09 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. | |||||
| CVE-2022-2387 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2022-11-09 | N/A | 4.3 MEDIUM |
| The Easy Digital Downloads WordPress plugin before 3.0 does not have CSRF check in place when deleting payment history, and does not ensure that the post to be deleted is actually a payment history. As a result, attackers could make a logged in admin delete arbitrary post via a CSRF attack | |||||
| CVE-2021-24555 | 1 Roosty | 1 Diary-availability-calendar | 2022-11-09 | 6.5 MEDIUM | 8.8 HIGH |
| The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user. | |||||
| CVE-2022-43488 | 1 Algolplus | 1 Advanced Dynamic Pricing For Woocommerce | 2022-11-09 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to rule type migration. | |||||
| CVE-2022-40128 | 1 Algolplus | 1 Advanced Order Export | 2022-11-09 | N/A | 6.5 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download. | |||||
| CVE-2022-38137 | 1 Analytify | 1 Analytify - Google Analytics Dashboard | 2022-11-09 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Analytify plugin <= 4.2.2 on WordPress. | |||||
| CVE-2022-32587 | 1 Codeandmore | 1 Wp Page Widget | 2022-11-09 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in CodeAndMore WP Page Widget plugin <= 3.9 on WordPress leading to plugin settings change. | |||||
| CVE-2022-27855 | 1 Fatcatapps | 1 Analytics Cat | 2022-11-09 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Fatcat Apps Analytics Cat plugin <= 1.0.9 on WordPress allows Plugin Settings Change. | |||||
| CVE-2022-40632 | 1 Gvectors | 1 Wpforo Forum | 2022-11-09 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 on WordPress leading to topic deletion. | |||||
| CVE-2022-43491 | 1 Algolplus | 1 Advanced Dynamic Pricing For Woocommerce | 2022-11-09 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import. | |||||
| CVE-2022-43481 | 1 Rymera | 1 Advanced Coupons | 2022-11-09 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal. | |||||
| CVE-2022-41136 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2022-11-09 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Shortcodes Ultimate plugin <= 5.12.0 on WordPress. | |||||
| CVE-2022-44741 | 1 Slidervilla | 1 Testimonial Slider | 2022-11-09 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) in David Anderson Testimonial Slider plugin <= 1.3.1 on WordPress. | |||||
| CVE-2022-3537 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2022-11-09 | N/A | 8.8 HIGH |
| The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP | |||||
| CVE-2021-24349 | 1 Gallery From Files Project | 1 Gallery From Files | 2022-11-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector. | |||||
| CVE-2021-34620 | 1 Fluentforms | 1 Contact Form | 2022-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| The WP Fluent Forms plugin < 3.6.67 for WordPress is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions | |||||
| CVE-2022-34020 | 1 Resiot | 1 Iot Platform And Lorawan Network Server | 2022-11-04 | N/A | 8.8 HIGH |
| Cross Site Request Forgery (CSRF) vulnerability in ResIOT ResIOT IOT Platform + LoRaWAN Network Server through 4.1.1000114 allows attackers to add new admin users to the platform or other unspecified impacts. | |||||