Total
2641 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-1572 | 1 Html2wp Project | 1 Html2wp | 2023-11-07 | 5.5 MEDIUM | 8.1 HIGH |
| The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file | |||||
| CVE-2022-1570 | 1 Files Download Delay Project | 1 Files Download Delay | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Files Download Delay WordPress plugin before 1.0.7 does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action. | |||||
| CVE-2022-1521 | 1 Illumina | 8 Iseq 100, Local Run Manager, Miniseq and 5 more | 2023-11-07 | 6.4 MEDIUM | 9.1 CRITICAL |
| LRM does not implement authentication or authorization by default. A malicious actor can inject, replay, modify, and/or intercept sensitive data. | |||||
| CVE-2022-1442 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3. | |||||
| CVE-2022-1323 | 1 2code | 1 Discy | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a crafted POST request. | |||||
| CVE-2022-1245 | 1 Redhat | 1 Keycloak | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services. | |||||
| CVE-2022-1203 | 1 Content Mask Project | 1 Content Mask | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Content Mask WordPress plugin before 1.8.4.1 does not have authorisation and CSRF checks in various AJAX actions, as well as does not validate the option to be updated to ensure it belongs to the plugin. As a result, any authenticated user, such as subscriber could modify arbitrary blog options | |||||
| CVE-2022-1092 | 1 Mycred | 1 Mycred | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog | |||||
| CVE-2022-0952 | 1 Sitemap Project | 1 Sitemap | 2023-11-07 | 6.8 MEDIUM | 8.8 HIGH |
| The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog. | |||||
| CVE-2022-0885 | 1 Memberhero | 1 Member Hero | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. | |||||
| CVE-2022-0837 | 1 Tms-outsource | 1 Amelia | 2023-11-07 | 5.5 MEDIUM | 5.4 MEDIUM |
| The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerability to drain out the account balance by keep sending SMS notification. | |||||
| CVE-2022-0833 | 1 Church Admin Project | 1 Church Admin | 2023-11-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data | |||||
| CVE-2022-0634 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request. | |||||
| CVE-2022-0444 | 1 Watchful | 1 Xcloner | 2023-11-07 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. | |||||
| CVE-2022-0404 | 1 Material Design For Contact Form 7 Project | 1 Material Design For Contact Form 7 | 2023-11-07 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged in user (with roles as low as Subscriber) to set arbitrary options to true, potentially leading to Denial of Service by breaking the site. | |||||
| CVE-2022-0398 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2023-11-07 | 4.9 MEDIUM | 5.4 MEDIUM |
| The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website | |||||
| CVE-2022-0363 | 1 Mycred | 1 Mycred | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts. | |||||
| CVE-2022-0345 | 1 Madewithfuel | 1 Customize Wordpress Emails And Alerts | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.). | |||||
| CVE-2022-0287 | 1 Mycred | 1 Mycred | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog | |||||
| CVE-2022-0229 | 1 Miniorange | 1 Google Authenticator | 2023-11-07 | 5.8 MEDIUM | 8.1 HIGH |
| The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. | |||||