Skip to main content
CVE-2022-1790 MEDIUM POC This Month

The New User Email Set Up WordPress plugin through 0.5.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress New User Email Set Up
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1788 MEDIUM POC This Month

Due to missing checks the Change Uploaded File Permissions WordPress plugin through 4.0.0 is vulnerable to CSRF attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Change Uploaded File Permissions
NVD WPScan
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-1761 MEDIUM POC This Month

The Peter’s Collaboration E-mails WordPress plugin through 2.2.0 is vulnerable to CSRF due to missing nonce checks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Peter S Collaboration E Mails
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1694 MEDIUM POC This Month

The Useful Banner Manager WordPress plugin through 1.6.1 does not perform CSRF checks on POST requests to its admin page, allowing an attacker to trick a logged in admin to add, modify or delete. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Useful Banner Manager
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1624 MEDIUM POC This Month

The Latest Tweets Widget WordPress plugin through 1.1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Latest Tweets Widget
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1612 MEDIUM POC This Month

The Webriti SMTP Mail WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Webriti Smtp Mail
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1608 MEDIUM POC This Month

The OnePress Social Locker WordPress plugin through 5.6.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Social Locker
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-1605 MEDIUM POC This Month

The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Email Users
NVD WPScan
CVSS 3.1
6.5
EPSS
0.5%
CVE-2022-0745 MEDIUM POC This Month

The Like Button Rating WordPress plugin before 2.6.45 allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress Like Button Rating
NVD WPScan
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-1208 MEDIUM POC PATCH This Month

The Ultimate Member plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Biography field featured on individual user profile pages due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS WordPress Ultimate Member
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2021-41663 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability exists in Mini CMS V1.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Minicms
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
1.0%
CVE-2022-1985 MEDIUM POC PATCH This Month

The Download Manager Plugin for WordPress is vulnerable to reflected Cross-Site Scripting in versions up to, and including 3.2.42. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XSS WordPress Download Manager
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2022-29455 MEDIUM POC THREAT This Month

DOM-based Reflected Cross-Site Scripting (XSS) vulnerability in Elementor's Elementor Website Builder plugin <= 3.5.5 versions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Website Builder
NVD
CVSS 3.1
6.1
EPSS
23.2%
CVE-2022-2066 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Facturascripts
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-1773 MEDIUM POC This Month

The WP Athletics WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Wp Athletics
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-1756 MEDIUM POC This Month

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Newsletter
NVD WPScan
CVSS 3.1
6.1
EPSS
1.8%
CVE-2022-1724 MEDIUM POC This Month

The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Simple Membership
NVD WPScan
CVSS 3.1
6.1
EPSS
1.7%
CVE-2022-1604 MEDIUM POC This Month

The MailerLite WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Mailerlite Signup Forms
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-1532 MEDIUM POC This Month

Themify WordPress plugin before 1.3.8 does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Woocommerce Product Filter
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-0626 MEDIUM POC This Month

The Advanced Admin Search WordPress plugin before 1.1.6 does not sanitize and escape some parameters before outputting them back in an admin page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Advanced Admin Search
NVD WPScan
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-1961 MEDIUM POC PATCH This Month

The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the `gtm4wp-options[scroller-contentid]` parameter found in the. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Google WordPress PHP XSS Google Tag Manager
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.6%
CVE-2022-1658 MEDIUM POC This Month

Vulnerable versions of the Jupiter Theme (<= 6.10.1) allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP Authentication Bypass Jupiter
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2022-2065 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/facturascripts prior to 2022.06. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Facturascripts
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-1792 MEDIUM POC This Month

The Quick Subscribe WordPress plugin through 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Quick Subscribe
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-1787 MEDIUM POC This Month

The Sideblog WordPress plugin through 6.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Sideblog
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-1781 MEDIUM POC This Month

The postTabs WordPress plugin through 2.10.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Posttabs
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-1780 MEDIUM POC This Month

The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Latex
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-1764 MEDIUM POC This Month

The WP-chgFontSize WordPress plugin through 1.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Wp Chgfontsize
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-1763 MEDIUM POC This Month

Due to missing checks the Static Page eXtended WordPress plugin through 2.1 is vulnerable to CSRF attacks which allows changing the plugin settings, including required user levels for specific. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Static Page Extended
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-1759 MEDIUM POC This Month

The RB Internal Links WordPress plugin through 2.0.16 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS CSRF WordPress Rb Internal Links
NVD WPScan
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-1549 MEDIUM POC This Month

The WP Athletics WordPress plugin through 1.1.7 does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard,. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Wp Athletics
NVD WPScan
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-2060 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Dolibarr Erp Crm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.9%
CVE-2022-1707 MEDIUM This Month

The Google Tag Manager for WordPress plugin for WordPress is vulnerable to reflected Cross-Site Scripting via the s parameter due to the site search populating into the data layer of sites with. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 16.2% and no vendor patch available.

Google WordPress PHP XSS Google Tag Manager
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
16.2%
CVE-2022-1595 MEDIUM POC This Month

The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a specific crafted request. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Information Disclosure Hc Custom Wp Admin Url
NVD WPScan
CVSS 3.1
5.3
EPSS
2.6%
CVE-2022-31400 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in /staff/setup/email-addresses of Helpdeskz v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Helpdeskz
NVD
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-31398 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in /staff/tools/custom-fields of Helpdeskz v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Helpdeskz
NVD
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-1814 MEDIUM POC This Month

The WP Admin Style WordPress plugin through 0.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Wp Admin Style
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1772 MEDIUM POC This Month

The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google XSS WordPress Google Places Reviews
NVD WPScan
CVSS 3.1
4.8
EPSS
0.7%
CVE-2022-1710 MEDIUM POC This Month

The Appointment Hour Booking WordPress plugin before 1.3.56 does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Appointment Hour Booking
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1336 MEDIUM POC This Month

The Carousel CK WordPress plugin through 1.1.0 does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Carousel Ck
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1335 MEDIUM POC This Month

The Slideshow CK WordPress plugin before 1.4.10 does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress Slideshow Ck
NVD WPScan
CVSS 3.1
4.8
EPSS
0.6%
CVE-2022-1793 MEDIUM POC This Month

The Private Files WordPress plugin through 0.40 is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Private Files
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-1594 MEDIUM POC This Month

The HC Custom WP-Admin URL WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Hc Custom Wp Admin Url
NVD WPScan
CVSS 3.1
4.3
EPSS
0.4%
CVE-2022-22259 MEDIUM This Month

There is an improper authentication vulnerability in FLMG-10 10.0.1.0(H100SP22C00). Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Flmg 10 Firmware
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2022-1820 MEDIUM PATCH This Month

The Keep Backup Daily plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘t’ parameter in versions up to, and including, 2.0.2 due to insufficient input sanitization and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Keep Backup Daily
NVD VulDB
CVSS 3.1
6.1
EPSS
3.0%
CVE-2022-1822 MEDIUM PATCH This Month

The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Zephyr Project Manager
NVD VulDB
CVSS 3.1
6.1
EPSS
3.0%
CVE-2022-32193 MEDIUM This Month

Couchbase Server 6.6.x through 7.x before 7.0.4 exposes Sensitive Information to an Unauthorized Actor. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Couchbase Server
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-28217 MEDIUM This Month

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF SAP Netweaver
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-31041 MEDIUM PATCH This Month

Open Forms is an application for creating and publishing smart forms. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Open Forms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-26041 MEDIUM This Month

Directory traversal vulnerability in RCCMD 4.26 and earlier allows a remote authenticated attacker with an administrative privilege to read or alter an arbitrary file on the server via unspecified. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Rccmd
NVD
CVSS 3.1
6.5
EPSS
1.4%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy