Search Results (36916 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-1014 1 Labarta 1 Wp Contacts Manager 2024-11-21 9.8 Critical
The WP Contacts Manager WordPress plugin through 2.2.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to an SQL injection vulnerability.
CVE-2022-1013 1 Ays-pro 1 Personal Dictionary 2024-11-21 9.8 Critical
The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST data before it is being interpolated in an SQL statement and then executed, leading to a blind SQL injection vulnerability.
CVE-2022-1006 1 Elbtide 1 Advanced Booking Calendar 2024-11-21 7.2 High
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks
CVE-2022-0989 1 Nsthemes 1 Ns Watermark For Woocommerce 2024-11-21 7.5 High
An unprivileged user could use the functionality of the NS WooCommerce Watermark WordPress plugin through 2.11.3 to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain.
CVE-2022-0985 1 Moodle 1 Moodle 2024-11-21 4.3 Medium
Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete capability.
CVE-2022-0984 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2024-11-21 4.3 Medium
Users with the capability to configure badge criteria (teachers and managers by default) were able to configure course badges with profile field criteria, which should only be available for site badges.
CVE-2022-0983 2 Fedoraproject, Moodle 3 Extra Packages For Enterprise Linux, Fedora, Moodle 2024-11-21 8.8 High
An SQL injection risk was identified in Badges code relating to configuring criteria. Access to the relevant capability was limited to teachers and managers by default.
CVE-2022-0981 2 Quarkus, Redhat 4 Quarkus, Camel Quarkus, Quarkus and 1 more 2024-11-21 8.8 High
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.
CVE-2022-0952 1 Sitemap Project 1 Sitemap 2024-11-21 8.8 High
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the users_can_register and default_role, allowing them to create a new admin account and take over the blog.
CVE-2022-0949 1 Stopbadbots 1 Block And Stop Bad Bots 2024-11-21 9.8 Critical
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection
CVE-2022-0948 1 Pluginbazaar 1 Order Listener For Woocommerce 2024-11-21 9.8 Critical
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id parameter before using it in a SQL statement via a REST route available to unauthenticated users, leading to an SQL injection
CVE-2022-0935 1 Livehelperchat 1 Live Helper Chat 2024-11-21 8.8 High
Host Header injection in password Reset in GitHub repository livehelperchat/livehelperchat prior to 3.97.
CVE-2022-0932 1 Saleor 1 Saleor 2024-11-21 6.5 Medium
Missing Authorization in GitHub repository saleor/saleor prior to 3.1.2.
CVE-2022-0920 1 Salonbookingsystem 1 Salon Booking System 2024-11-21 7.5 High
The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data
CVE-2022-0919 1 Salonbookingsystem 1 Salon Booking System 2024-11-21 5.3 Medium
The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.
CVE-2022-0905 1 Gitea 1 Gitea 2024-11-21 7.1 High
Missing Authorization in GitHub repository go-gitea/gitea prior to 1.16.4.
CVE-2022-0887 1 Cybernetikz 1 Easy Social Icons 2024-11-21 7.2 High
The Easy Social Icons WordPress plugin before 3.1.4 does not sanitize the selected_icons attribute to the cnss_widget before using it in an SQL statement, leading to a SQL injection vulnerability.
CVE-2022-0885 1 Memberhero 1 Member Hero 2024-11-21 9.8 Critical
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
CVE-2022-0871 1 Gogs 1 Gogs 2024-11-21 9.1 Critical
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.
CVE-2022-0867 1 Reputeinfosystems 1 Pricing Table 2024-11-21 9.8 Critical
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users