Skip to main content
CVE-2022-1768 CRITICAL POC THREAT Emergency

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 86.1%.

SQLi PHP WordPress Rsvpmaker
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
86.1%
Threat
6.0
CVE-2022-31053 CRITICAL POC PATCH Act Now

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jwt Attack Java Biscuit Auth Biscuit Go +2
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-33175 CRITICAL POC Act Now

Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 have an insecure permissions setting on the user.token field that is accessible to everyone through the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Basic Pdu Firmware Pm Pdu Firmware Piml Pdu Firmware Smart Pim Firmware +3
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-0885 CRITICAL POC Act Now

The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE Code Injection WordPress Member Hero
NVD WPScan
CVSS 3.1
9.8
EPSS
9.1%
CVE-2022-0827 CRITICAL POC Act Now

The Bestbooks WordPress plugin through 2.6.3 does not sanitise and escape some parameters before using them in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Bestbooks
NVD WPScan
CVSS 3.1
9.8
EPSS
9.0%
CVE-2022-0786 CRITICAL POC THREAT Act Now

The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Kivicare
NVD WPScan
CVSS 3.1
9.8
EPSS
12.6%
CVE-2022-2067 CRITICAL POC PATCH Act Now

SQL Injection in GitHub repository francoisjacquet/rosariosis prior to 9.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi Rosariosis
NVD GitHub
CVSS 3.1
9.1
EPSS
1.9%
CVE-2022-1749 HIGH POC This Week

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP CSRF Wpmk Ajax Finder
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2022-1918 HIGH POC This Week

The ToolBar to Share plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Toolbar To Share
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2022-1657 HIGH POC This Week

Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Path Traversal Jupiter Jupiterx
NVD
CVSS 3.1
8.8
EPSS
1.6%
CVE-2022-1654 HIGH POC This Week

Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Jupiter Jupiterx
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2022-1777 HIGH POC This Week

The Filr WordPress plugin before 1.2.2.1 does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Filr
NVD WPScan
CVSS 3.1
8.8
EPSS
1.3%
CVE-2022-1765 HIGH POC This Week

The Hot Linked Image Cacher WordPress plugin through 1.16 is vulnerable to CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Hot Linked Image Cacher
NVD WPScan
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-1758 HIGH POC This Week

The Genki Pre-Publish Reminder WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Genki Pre Publish Reminder
NVD WPScan
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-2064 HIGH POC PATCH This Week

Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Nocodb
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2022-2063 HIGH POC PATCH This Week

Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation Nocodb
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-1791 HIGH POC This Week

The One Click Plugin Updater WordPress plugin through 2.4.14 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress One Click Plugin Updater
NVD WPScan
CVSS 3.1
8.1
EPSS
0.5%
CVE-2022-1779 HIGH POC This Week

The Auto Delete Posts WordPress plugin through 1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Auto Delete Posts
NVD WPScan
CVSS 3.1
8.1
EPSS
0.5%
CVE-2022-1202 HIGH POC This Week

The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection WordPress Wp Crm
NVD WPScan
CVSS 3.1
7.8
EPSS
1.0%
CVE-2022-33174 HIGH POC THREAT This Week

Power Distribution Units running on Powertek firmware (multiple brands) before 3.30.30 allows remote authorization bypass in the web interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Basic Pdu Firmware Pm Pdu Firmware Piml Pdu Firmware Smart Pim Firmware +3
NVD
CVSS 3.1
7.5
EPSS
13.4%
CVE-2022-1762 HIGH POC This Week

The iQ Block Country WordPress plugin before 1.2.20 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Iq Block Country
NVD WPScan
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-1412 HIGH POC This Week

The Log WP_Mail WordPress plugin through 0.1 saves sent email in a publicly accessible directory using predictable filenames, allowing any unauthenticated visitor to obtain potentially sensitive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Log Wp Mail
NVD WPScan
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-2062 HIGH POC PATCH This Week

Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Nocodb
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2022-1659 HIGH POC This Week

Vulnerable versions of the JupiterX Core (<= 2.0.6) plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Denial Of Service Jupiterx
NVD
CVSS 3.1
7.3
EPSS
0.8%
CVE-2022-1800 HIGH POC This Week

The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Export Any Wordpress Data To Xml Csv
NVD WPScan
CVSS 3.1
7.2
EPSS
1.3%
CVE-2022-0863 HIGH POC THREAT This Week

The WP SVG Icons WordPress plugin through 3.2.3 does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress File Upload Wp Svg Icons
NVD WPScan
CVSS 3.1
7.2
EPSS
22.9%
CVE-2022-1790 MEDIUM POC This Month

The New User Email Set Up WordPress plugin through 0.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress New User Email Set Up
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1788 MEDIUM POC This Month

Due to missing checks the Change Uploaded File Permissions WordPress plugin through 4.0.0 is vulnerable to CSRF attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Change Uploaded File Permissions
NVD WPScan
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-1761 MEDIUM POC This Month

The Peter’s Collaboration E-mails WordPress plugin through 2.2.0 is vulnerable to CSRF due to missing nonce checks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Peter S Collaboration E Mails
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1694 MEDIUM POC This Month

The Useful Banner Manager WordPress plugin through 1.6.1 does not perform CSRF checks on POST requests to its admin page, allowing an attacker to trick a logged in admin to add, modify or delete. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Useful Banner Manager
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1624 MEDIUM POC This Month

The Latest Tweets Widget WordPress plugin through 1.1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Latest Tweets Widget
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1612 MEDIUM POC This Month

The Webriti SMTP Mail WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Webriti Smtp Mail
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1608 MEDIUM POC This Month

The OnePress Social Locker WordPress plugin through 5.6.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Social Locker
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1605 MEDIUM POC This Month

The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Email Users
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-0745 MEDIUM POC This Month

The Like Button Rating WordPress plugin before 2.6.45 allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Like Button Rating
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-1208 MEDIUM POC PATCH This Month

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Ultimate Member
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2021-41663 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability exists in Mini CMS V1.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Minicms
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
1.0%
CVE-2022-1985 MEDIUM POC PATCH This Month

The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XSS WordPress Download Manager
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2022-29455 MEDIUM POC THREAT This Month

DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Website Builder
NVD
CVSS 3.1
6.1
EPSS
23.2%
CVE-2022-2066 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Facturascripts
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-1773 MEDIUM POC This Month

The WP Athletics WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Wp Athletics
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-1756 MEDIUM POC This Month

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Newsletter
NVD WPScan
CVSS 3.1
6.1
EPSS
1.8%
CVE-2022-1724 MEDIUM POC This Month

The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simple Membership
NVD WPScan
CVSS 3.1
6.1
EPSS
1.7%
CVE-2022-1604 MEDIUM POC This Month

The MailerLite WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Mailerlite Signup Forms
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-1532 MEDIUM POC This Month

Themify WordPress plugin before 1.3.8 does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Woocommerce Product Filter
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0626 MEDIUM POC This Month

The Advanced Admin Search WordPress plugin before 1.1.6 does not sanitize and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Advanced Admin Search
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-29247 CRITICAL PATCH Act Now

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Information Disclosure Electron
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-29797 CRITICAL Act Now

There is a buffer overflow vulnerability in CV81-WDM FW 01.70.49.29.46. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Buffer Overflow Cv81 Wdm Firmware
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-23168 CRITICAL Act Now

The attacker could get access to the database. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Mobile Application Gateway
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2022-23167 CRITICAL Act Now

Attacker crafts a GET request to: /mobile/downloadfile.aspx? Filename =../.. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Amodat
NVD
CVSS 3.1
9.8
EPSS
0.5%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy