Total
3286 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-3400 | 1 Bricksbuilder | 1 Bricks | 2024-08-03 | 6.5 Medium |
| The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website. | ||||
| CVE-2022-3320 | 1 Cloudflare | 1 Warp | 2024-08-03 | 6.7 Medium |
| It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Using this command with an unreachable endpoint caused the WARP Client to disconnect and allowed bypassing administrative restrictions on a Zero Trust enrolled endpoint. | ||||
| CVE-2022-3322 | 1 Cloudflare | 1 Warp Mobile Client | 2024-08-03 | 6.7 Medium |
| Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action. | ||||
| CVE-2022-3321 | 1 Cloudflare | 1 Warp Mobile Client | 2024-08-03 | 6.7 Medium |
| It was possible to bypass Lock WARP switch feature https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch on the WARP iOS mobile client by enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" switches at once in the application settings. Such configuration caused the WARP client to disconnect and allowed the user to bypass restrictions and policies enforced by the Zero Trust platform. | ||||
| CVE-2022-3244 | 1 Smackcoders | 1 Import All Pages\, Post Types\, Products\, Orders\, And Users As Xml \& Csv | 2024-08-03 | 4.2 Medium |
| The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce | ||||
| CVE-2022-3124 | 1 Najeebmedia | 1 Frontend File Manager | 2024-08-03 | 5.3 Medium |
| The Frontend File Manager Plugin WordPress plugin before 21.3 allows any unauthenticated user to rename uploaded files from users. Furthermore, due to the lack of validation in the destination filename, this could allow allow them to change the content of arbitrary files on the web server | ||||
| CVE-2022-3082 | 1 Miniorange | 1 Discord Integration | 2024-08-03 | 6.5 Medium |
| The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example | ||||
| CVE-2022-3096 | 1 Wp Total Hacks Project | 1 Wp Total Hacks | 2024-08-03 | 5.4 Medium |
| The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well. | ||||
| CVE-2022-2985 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-08-03 | 7.8 High |
| In music service, there is a missing permission check. This could lead to elevation of privilege in contacts service with no additional execution privileges needed. | ||||
| CVE-2022-2987 | 1 Ldap Wp Login \/ Active Directory Integration Project | 1 Ldap Wp Login \/ Active Directory Integration | 2024-08-03 | 7.5 High |
| The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication | ||||
| CVE-2022-2841 | 1 Crowdstrike | 1 Falcon | 2024-08-03 | 2.7 Low |
| A vulnerability was found in CrowdStrike Falcon 6.31.14505.0/6.42.15610/6.44.15806. It has been classified as problematic. Affected is an unknown function of the component Uninstallation Handler. The manipulation leads to missing authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 6.40.15409, 6.42.15611 and 6.44.15807 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-206880. | ||||
| CVE-2022-2846 | 1 Dwbooster | 1 Calendar Event Multi View | 2024-08-03 | 4.3 Medium |
| The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. | ||||
| CVE-2022-2732 | 1 Open-emr | 1 Openemr | 2024-08-03 | 8.3 High |
| Missing Authorization in GitHub repository openemr/openemr prior to 7.0.0.1. | ||||
| CVE-2022-2657 | 1 Wc-marketplace | 1 Multivendor Marketplace Solution For Woocommerce - Wc Marketplace | 2024-08-03 | 4.3 Medium |
| The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF | ||||
| CVE-2022-2552 | 1 Snapcreek | 1 Duplicator | 2024-08-03 | 5.3 Medium |
| The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. | ||||
| CVE-2022-2543 | 1 Visualportfolio | 1 Visual Portfolio\, Photo Gallery \& Post Grid | 2024-08-03 | 6.1 Medium |
| The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts | ||||
| CVE-2022-2459 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 2.7 Low |
| An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled. | ||||
| CVE-2022-2461 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-08-03 | 5.3 Medium |
| The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site. | ||||
| CVE-2022-2450 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2024-08-03 | 4.3 Medium |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. | ||||
| CVE-2022-2405 | 1 Themehunk | 1 Wp Popup Builder | 2024-08-03 | 4.3 Medium |
| The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup | ||||