Total
3285 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2379 | 1 Easy Student Results Project | 1 Easy Student Results | 2024-08-03 | 7.5 High |
| The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc | ||||
| CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2024-08-03 | 4.3 Medium |
| The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. | ||||
| CVE-2022-2350 | 1 Brainvire | 1 Disable User Login | 2024-08-03 | 5.3 Medium |
| The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will. | ||||
| CVE-2022-2376 | 1 Wpwax | 1 Directorist | 2024-08-03 | 5.3 Medium |
| The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users | ||||
| CVE-2022-2373 | 1 Nsqua | 1 Simply Schedule Appointments | 2024-08-03 | 5.3 Medium |
| The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address | ||||
| CVE-2022-2370 | 1 Yaycommerce | 1 Yaysmtp | 2024-08-03 | 6.5 Medium |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them | ||||
| CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2024-08-03 | 4.3 Medium |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | ||||
| CVE-2022-2377 | 1 Wpwax | 1 Directorist | 2024-08-03 | 4.3 Medium |
| The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog | ||||
| CVE-2022-2369 | 1 Yaycommerce | 1 Yaysmtp | 2024-08-03 | 4.3 Medium |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin | ||||
| CVE-2022-2108 | 1 Wbcomdesigns | 1 Buddypress Group Reviews | 2024-08-03 | 6.5 Medium |
| The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site. | ||||
| CVE-2022-1903 | 1 Armemberplugin | 1 Armember | 2024-08-03 | 8.1 High |
| The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username | ||||
| CVE-2022-1777 | 1 Filr Project | 1 Filr | 2024-08-03 | 8.8 High |
| The Filr WordPress plugin before 1.2.2.1 does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload arbitrary HTML files as well as delete all files or arbitrary ones. | ||||
| CVE-2022-1574 | 1 Html2wp Project | 1 Html2wp | 2024-08-03 | 9.8 Critical |
| The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server | ||||
| CVE-2022-1572 | 1 Html2wp Project | 1 Html2wp | 2024-08-03 | 8.1 High |
| The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file | ||||
| CVE-2022-1570 | 1 Files Download Delay Project | 1 Files Download Delay | 2024-08-03 | 6.5 Medium |
| The Files Download Delay WordPress plugin before 1.0.7 does not have authorisation and CSRF checks when reseting its settings, which could allow any authenticated users, such as subscriber to perform such action. | ||||
| CVE-2022-1511 | 1 Snipeitapp | 1 Snipe-it | 2024-08-03 | 6.5 Medium |
| Missing Authorization in GitHub repository snipe/snipe-it prior to 5.4.4. | ||||
| CVE-2022-1423 | 1 Gitlab | 1 Gitlab | 2024-08-03 | 7.1 High |
| Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches | ||||
| CVE-2022-1384 | 1 Mattermost | 1 Mattermost Server | 2024-08-03 | 4.7 Medium |
| Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities. | ||||
| CVE-2022-1442 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-08-03 | 7.5 High |
| The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3. | ||||
| CVE-2022-1329 | 1 Elementor | 1 Website Builder | 2024-08-03 | 8.8 High |
| The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2. | ||||