Skip to main content
CVE-2022-28093 CRITICAL POC Act Now

SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a local file inclusion vulnerability which allow attackers to execute arbitrary code via a crafted PHP file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Online Sports Complex Booking System
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
2.2%
CVE-2022-23457 CRITICAL POC PATCH Act Now

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Path Traversal Enterprise Security Api Weblogic Server Active Iq Unified Manager Oncommand Workflow Automation
NVD GitHub
CVSS 3.1
9.8
EPSS
2.8%
CVE-2022-25866 CRITICAL POC PATCH Act Now

The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP Command Injection Git Php
NVD GitHub
CVSS 3.1
9.8
EPSS
3.9%
CVE-2022-1391 CRITICAL POC THREAT Act Now

The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Cab Fare Calculator
NVD WPScan
CVSS 3.1
9.8
EPSS
13.8%
CVE-2022-1390 CRITICAL POC THREAT Act Now

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Deserialization Path Traversal Admin Word Count Column
NVD WPScan
CVSS 3.1
9.8
EPSS
21.9%
CVE-2022-0782 CRITICAL POC Act Now

The Donations WordPress plugin through 1.8 does not sanitise and escape the nd_donations_id parameter before using it in a SQL statement via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Donations
NVD WPScan
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0769 CRITICAL POC Act Now

The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Users Ultra
NVD WPScan
CVSS 3.1
9.8
EPSS
8.5%
CVE-2022-0693 CRITICAL POC Act Now

The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action (available to both unauthenticated and authenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Master Elements
NVD WPScan
CVSS 3.1
9.8
EPSS
7.1%
CVE-2022-0657 CRITICAL POC Act Now

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress 5 Stars Rating Funnel
NVD WPScan
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0541 CRITICAL POC Act Now

The flo-launch WordPress plugin before 2.4.1 injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flo_custom_table_prefix. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass WordPress Flo Launch
NVD WPScan
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-29078 CRITICAL POC PATCH THREAT Act Now

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Command Injection Node.js Ejs
NVD GitHub
CVSS 3.1
9.8
EPSS
32.8%
CVE-2022-27429 CRITICAL POC Act Now

Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SSRF Jizhicms
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-26111 HIGH POC This Week

The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Irisnext
NVD GitHub
CVSS 3.1
8.8
EPSS
4.1%
CVE-2022-28053 HIGH POC This Week

Typemill v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the upload function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload Typemill
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2022-1459 HIGH POC PATCH This Week

Non-Privilege User Can View Patient’s Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Openemr
NVD GitHub
CVSS 3.1
8.3
EPSS
1.0%
CVE-2022-29603 HIGH POC PATCH This Week

A SQL Injection vulnerability exists in UniverSIS UniverSIS-API through 1.2.1 via the $select parameter to multiple API endpoints. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Universis Api
NVD
CVSS 3.1
8.1
EPSS
1.4%
CVE-2021-36460 HIGH POC This Week

VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Veryfitpro
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-1441 HIGH POC PATCH This Week

MP4Box is a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow Gpac Debian Linux
NVD GitHub
CVSS 3.1
7.8
EPSS
1.0%
CVE-2022-1392 HIGH POC THREAT This Week

The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Videos Sync Pdf
NVD WPScan
CVSS 3.1
7.5
EPSS
11.3%
CVE-2022-0656 HIGH POC This Week

The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal WordPress Information Disclosure Web To Print Shop
NVD WPScan
CVSS 3.1
7.5
EPSS
7.9%
CVE-2022-27375 MEDIUM POC This Month

Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_422168 at /goform/WifiExtraSet. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda CSRF Ax12 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-27374 MEDIUM POC This Month

Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via the function sub_42E328 at /goform/SysToolReboot. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda CSRF Ax12 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-1461 MEDIUM POC PATCH This Month

Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Openemr
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-28094 MEDIUM POC This Month

SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the fid parameter at booking.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Online Sports Complex Booking System
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-28290 MEDIUM POC This Month

Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Wordpress Country Selector
NVD
CVSS 3.1
6.1
EPSS
1.4%
CVE-2022-0953 MEDIUM POC This Month

The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.96 does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Download Anti Malware Security And Brute Force Firewall
NVD WPScan
CVSS 3.1
6.1
EPSS
3.0%
CVE-2022-28586 MEDIUM POC This Month

XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hoosk
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-27103 MEDIUM POC PATCH This Month

element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Element Plus
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-27311 CRITICAL PATCH Act Now

Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SSRF Gibbon
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2022-29264 CRITICAL PATCH Act Now

An issue was discovered in coreboot 4.13 through 4.16. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Coreboot
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-29077 CRITICAL PATCH Act Now

A heap-based buffer overflow exists in rippled before 1.8.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption Buffer Overflow Rippled
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
CVE-2022-28506 MEDIUM POC This Month

There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RGB() in gif2rgb.c:298:45. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Giflib Fedora
NVD GitHub
CVSS 3.1
5.5
EPSS
1.3%
CVE-2022-27135 MEDIUM POC This Month

xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Memory Corruption Buffer Overflow Xpdf
NVD GitHub
CVSS 3.1
5.5
EPSS
1.0%
CVE-2022-1152 MEDIUM POC This Month

The Menubar WordPress plugin before 5.8 does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action (available to any authenticated. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Menubar
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-0398 MEDIUM POC This Month

The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Thirstyaffiliates Affiliate Link Manager
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-27428 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in /index.php/album/add of GalleryCMS v2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Gallerycms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-1458 MEDIUM POC PATCH This Month

Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Openemr
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2022-1457 MEDIUM POC PATCH This Month

Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Facturascripts
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2022-29419 HIGH This Week

SQL Injection (SQLi) vulnerability in Don Crowther's 3xSocializer plugin <= 0.98.22 at WordPress possible for users with a low role like a subscriber or higher. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress 3Xsocializer
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-1396 MEDIUM POC This Month

The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Donorbox
NVD WPScan
CVSS 3.1
4.8
EPSS
1.0%
CVE-2022-1228 MEDIUM POC This Month

The Opensea WordPress plugin before 1.0.3 does not sanitize and escape some of its settings, like its "Referer address" field, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Opeansea
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1156 MEDIUM POC This Month

The Books & Papers WordPress plugin through 0.20210223 does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Books Papers
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1153 MEDIUM POC This Month

The LayerSlider WordPress plugin before 7.1.2 does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress LayerSlider
NVD WPScan
CVSS 3.1
4.8
EPSS
2.6%
CVE-2022-1094 MEDIUM POC This Month

The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Amr Users
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2022-1027 MEDIUM POC This Month

The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Page Restriction
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-0876 MEDIUM POC This Month

The Social comments by WpDevArt WordPress plugin before 2.5.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Social Comments
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1092 MEDIUM POC This Month

The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Mycred
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-0634 MEDIUM POC This Month

The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Thirstyaffiliates Affiliate Link Manager
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-0363 MEDIUM POC This Month

The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Mycred
NVD WPScan
CVSS 3.1
4.3
EPSS
0.3%
CVE-2022-0287 MEDIUM POC This Month

The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Mycred
NVD WPScan
CVSS 3.1
4.3
EPSS
0.8%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy