Total
6253 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2184 | 1 Wpwhitesecurity | 1 Captcha 4wp | 2024-08-03 | 8.8 High |
| The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server. | ||||
| CVE-2022-2172 | 1 Linkworth | 1 Linkworth | 2024-08-03 | 4.3 Medium |
| The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. | ||||
| CVE-2022-2171 | 1 Crowdfavorite | 1 Progressive License | 2024-08-03 | 5.4 Medium |
| The Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well. | ||||
| CVE-2022-2144 | 1 Jquery Validation For Contact Form 7 Project | 1 Jquery Validation For Contact Form 7 | 2024-08-03 | 4.3 Medium |
| The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like default_role, users_can_register via a CSRF attack | ||||
| CVE-2022-2123 | 1 Wp Opt-in Project | 1 Wp Opt-in | 2024-08-03 | 4.3 Medium |
| The WP Opt-in WordPress plugin through 1.4.1 is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails. | ||||
| CVE-2022-1957 | 1 Comment License Project | 1 Comment License | 2024-08-03 | 4.3 Medium |
| The Comment License WordPress plugin before 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2022-2146 | 1 Import Csv Files Project | 1 Import Csv Files | 2024-08-03 | 6.1 Medium |
| The Import CSV Files WordPress plugin through 1.0 does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting | ||||
| CVE-2022-2091 | 1 Cache Images Project | 1 Cache Images | 2024-08-03 | 6.5 Medium |
| The Cache Images WordPress plugin before 3.2.1 does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack. | ||||
| CVE-2022-2071 | 1 Name Directory Project | 1 Name Directory | 2024-08-03 | 6.1 Medium |
| The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. | ||||
| CVE-2022-1956 | 1 Shortcut Macros Project | 1 Shortcut Macros | 2024-08-03 | 4.3 Medium |
| The Shortcut Macros WordPress plugin through 1.3 does not have authorisation and CSRF checks in place when updating its settings, which could allow any authenticated users, such as subscriber, to update them. | ||||
| CVE-2022-1960 | 1 Mycss Project | 1 Mycss | 2024-08-03 | 4.3 Medium |
| The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2022-1969 | 1 Script | 1 Mobile Browser Color Select | 2024-08-03 | 8.8 High |
| The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the admin_update_data() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-2001 | 1 Devrix | 1 Dx Share Selection | 2024-08-03 | 8.8 High |
| The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-1967 | 1 Wp-championship Project | 1 Wp-championship | 2024-08-03 | 6.5 Medium |
| The WP Championship WordPress plugin before 9.3 is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | ||||
| CVE-2022-1914 | 1 Clean-contact Project | 1 Clean-contact | 2024-08-03 | 4.3 Medium |
| The Clean-Contact WordPress plugin through 1.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS due to the lack of sanitisation and escaping as well | ||||
| CVE-2022-1912 | 1 Smartsoft | 1 Button Widget Smartsoft | 2024-08-03 | 8.8 High |
| The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbutton_settings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-1885 | 1 Cimy Header Image Rotator Project | 1 Cimy Header Image Rotator | 2024-08-03 | 4.3 Medium |
| The Cimy Header Image Rotator WordPress plugin through 6.1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2022-1913 | 1 Add Post Url Project | 1 Add Post Url | 2024-08-03 | 4.3 Medium |
| The Add Post URL WordPress plugin through 2.1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping | ||||
| CVE-2022-1900 | 1 Copify | 1 Copify | 2024-08-03 | 8.8 High |
| The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-1895 | 1 Underconstruction Project | 1 Underconstruction | 2024-08-03 | 4.3 Medium |
| The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack | ||||