Search Results (36911 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-0658 1 Wielebenwir 1 Commonsbooking 2024-11-21 9.8 Critical
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
CVE-2022-0657 1 5 Stars Rating Funnel Project 1 5 Stars Rating Funnel 2024-11-21 9.8 Critical
The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.
CVE-2022-0634 1 Caseproof 1 Thirstyaffiliates Affiliate Link Manager 2024-11-21 4.3 Medium
The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.
CVE-2022-0633 1 Updraftplus 1 Updraftplus 2024-11-21 6.5 Medium
The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.
CVE-2022-0614 1 Mruby 1 Mruby 2024-11-21 5.5 Medium
Use of Out-of-range Pointer Offset in Homebrew mruby prior to 3.2.
CVE-2022-0594 1 Shareaholic 1 Shareaholic 2024-11-21 5.3 Medium
The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.
CVE-2022-0592 1 Mapsvg 1 Mapsvg 2024-11-21 9.8 Critical
The MapSVG WordPress plugin before 6.2.20 does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users.
CVE-2022-0577 2 Debian, Scrapy 2 Debian Linux, Scrapy 2024-11-21 6.5 Medium
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository scrapy/scrapy prior to 2.6.1.
CVE-2022-0574 1 Publify Project 1 Publify 2024-11-21 6.5 Medium
Improper Access Control in GitHub repository publify/publify prior to 9.2.8.
CVE-2022-0554 5 Apple, Debian, Fedoraproject and 2 more 5 Macos, Debian Linux, Fedora and 2 more 2024-11-21 7.8 High
Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.
CVE-2022-0524 1 Publify Project 1 Publify 2024-11-21 7.5 High
Business Logic Errors in GitHub repository publify/publify prior to 9.2.7.
CVE-2022-0519 2 Fedoraproject, Radare 2 Fedora, Radare2 2024-11-21 7.1 High
Buffer Access with Incorrect Length Value in GitHub repository radareorg/radare2 prior to 5.6.2.
CVE-2022-0514 1 Craterapp 1 Crater 2024-11-21 6.5 Medium
Business Logic Errors in GitHub repository crater-invoice/crater prior to 6.0.5.
CVE-2022-0507 1 Pandorafms 1 Pandora Fms 2024-11-21 5.8 Medium
Found a potential security vulnerability inside the Pandora API. Affected Pandora FMS version range: all versions of NG version, up to OUM 759. This vulnerability could allow an attacker with authenticated IP to inject SQL.
CVE-2022-0482 1 Easyappointments 1 Easyappointments 2024-11-21 9.1 Critical
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
CVE-2022-0479 1 Sygnoos 1 Popup Builder 2024-11-21 9.8 Critical
The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link
CVE-2022-0478 1 Mage-people 1 Event Manager And Tickets Selling For Woocommerce 2024-11-21 8.8 High
The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks
CVE-2022-0457 1 Google 1 Chrome 2024-11-21 8.8 High
Type confusion in V8 in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2022-0444 1 Watchful 1 Xcloner 2024-11-21 4.3 Medium
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.
CVE-2022-0439 1 Icegram 1 Email Subscribers \& Newsletters 2024-11-21 8.8 High
The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.