Skip to main content
CVE-2022-4314 CRITICAL POC PATCH Act Now

Improper Privilege Management in GitHub repository ikus060/rdiffweb prior to 2.5.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Privilege Escalation Rdiffweb
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-3982 CRITICAL POC Act Now

The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Booking Calendar
NVD WPScan
CVSS 3.1
9.8
EPSS
4.5%
CVE-2022-3921 CRITICAL POC THREAT Act Now

The Listingo WordPress theme before 3.2.7 does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Listingo
NVD WPScan
CVSS 3.1
9.8
EPSS
21.2%
CVE-2022-3915 CRITICAL POC Act Now

The Dokan WordPress plugin before 3.7.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Dokan
NVD WPScan
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-3900 CRITICAL POC THREAT Act Now

The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP WordPress Cooked
NVD WPScan
CVSS 3.1
9.8
EPSS
19.0%
CVE-2022-37932 CRITICAL POC Act Now

A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass HP Officeconnect 1820 J9979A Firmware Officeconnect 1820 J9982A Firmware Officeconnect 1820 J9980A Firmware +16
NVD
CVSS 3.1
9.8
EPSS
2.6%
CVE-2022-3989 HIGH POC This Week

The Motors WordPress plugin before 1.4.4 does not properly validate uploaded files for dangerous file types (such as .php) in an AJAX action, allowing an attacker to sign up on a victim's WordPress. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Motors Car Dealer Classifieds Listing
NVD WPScan
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-45980 HIGH POC This Week

Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via /goform/SysToolRestoreSet . Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda CSRF Ax12 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
7.5%
CVE-2022-45977 HIGH POC This Week

Tenda AX12 V22.03.01.21_CN was found to have a command injection vulnerability via /goform/setMacFilterCfg function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Command Injection Ax12 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
2.1%
CVE-2022-45043 HIGH POC This Week

Tenda AX12 V22.03.01.16_cn is vulnerable to command injection via goform/fast_setting_internet_set. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Command Injection Ax12 Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
2.2%
CVE-2022-45968 HIGH POC PATCH This Week

Alist v3.4.0 is vulnerable to File Upload. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Alist
NVD GitHub
CVSS 3.1
8.8
EPSS
1.0%
CVE-2022-4416 HIGH POC This Week

A vulnerability was found in RainyGao DocSys. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Mxsdoc
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2022-45760 HIGH POC This Week

SENS v1.0 is vulnerable to Incorrect Access Control vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Sens
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-45759 HIGH POC This Week

SENS v1.0 has a file upload vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Sens
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-3999 HIGH POC This Week

The DPD Baltic Shipping WordPress plugin before 1.2.57 does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Woocommerce Shipping
NVD WPScan
CVSS 3.1
8.1
EPSS
0.4%
CVE-2022-45269 HIGH POC This Week

A directory traversal vulnerability in the component SCS.Web.Server.SPI/1.0 of Linx Sphere LINX 7.35.ST15 allows attackers to read arbitrary files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Linx Sphere
NVD GitHub
CVSS 3.1
7.5
EPSS
3.1%
CVE-2022-41881 HIGH POC PATCH This Week

Netty project is an event-driven asynchronous network application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Netty Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2022-3912 HIGH POC This Week

The User Registration WordPress plugin before 2.2.4.1 does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP File Upload User Registration
NVD WPScan
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-45979 HIGH POC This Week

Tenda AX12 v22.03.01.21_CN was discovered to contain a stack overflow via the ssid parameter at /goform/fast_setting_wifi_set . Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Tenda Buffer Overflow Ax12 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-45957 HIGH POC THREAT This Week

ZTE ZXHN-H108NS router with firmware version H108NSV1.0.7u_ZRD_GR2_A68 is vulnerable to remote stack buffer overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Zte Buffer Overflow Zxhn H108Ns Firmware
NVD
CVSS 3.1
7.5
EPSS
11.5%
CVE-2022-45227 HIGH POC This Week

The web portal of Dragino Lora LG01 18ed40 IoT v4.3.4 has the directory listing at the URL https://10.10.20.74/lib/. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Information Disclosure Lg01 Lora Firmware
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-46908 HIGH POC PATCH This Week

SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Sqlite
NVD
CVSS 3.1
7.3
EPSS
0.4%
CVE-2022-45275 HIGH POC THREAT This Week

An arbitrary file upload vulnerability in /queuing/admin/ajax.php?action=save_settings of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP File Upload Dynamic Transaction Queuing System
NVD GitHub
CVSS 3.1
7.2
EPSS
15.3%
CVE-2022-3925 HIGH POC This Week

The buddybadges WordPress plugin through 1.0.0 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Buddybadges
NVD WPScan
CVSS 3.1
7.2
EPSS
1.0%
CVE-2022-45997 HIGH POC This Week

Tenda W20E V16.01.0.6(3392) is vulnerable to Buffer Overflow. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
0.9%
CVE-2022-45996 HIGH POC This Week

Tenda W20E V16.01.0.6(3392) is vulnerable to Command injection via cmd_get_ping_output. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Command Injection W20e Firmware
NVD GitHub
CVSS 3.1
7.2
EPSS
2.3%
CVE-2022-4016 MEDIUM POC This Month

The Booster for WooCommerce WordPress plugin before 5.6.7, Booster Plus for WooCommerce WordPress plugin before 5.6.6, Booster Elite for WooCommerce WordPress plugin before 1.1.8 does not properly. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Booster For Woocommerce
NVD WPScan
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-3946 MEDIUM POC This Month

The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Welcart E Commerce
NVD WPScan
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-3930 MEDIUM POC This Month

The Directorist WordPress plugin before 7.4.2.2 suffers from an IDOR vulnerability which an attacker can exploit to change the password of arbitrary users instead of his own. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Directorist
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-3883 MEDIUM POC This Month

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Stopbadbots
NVD WPScan
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-3882 MEDIUM POC This Month

The Memory Usage, Memory Limit, PHP and Server Memory Health Check and Fix Plugin WordPress plugin before 2.46 does not have proper authorisation and CSRF in an AJAX action, allowing any. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP WordPress Wp Memory
NVD WPScan
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-3880 MEDIUM POC This Month

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin before 4.20 does not have proper authorisation and CSRF in an AJAX action, allowing any. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Antihacker
NVD WPScan
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-3879 MEDIUM POC This Month

The Car Dealer (Dealership) and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Car Dealer
NVD WPScan
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-3908 MEDIUM POC This Month

The Helloprint WordPress plugin before 1.4.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Helloprint
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-4413 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Reflected in GitHub repository nuxt/framework prior to v3.0.0-rc.13. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Framework
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-38656 CRITICAL Act Now

HCL Commerce, when using Elasticsearch, can allow a remote attacker to cause a denial of service attack on the site and make administrative changes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Hcl Commerce
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-37897 CRITICAL Act Now

There is a command injection vulnerability that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Aruba Sd Wan Arubaos
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2022-3485 CRITICAL Act Now

In IFM Moneo Appliance with version up to 1.9.3 an unauthenticated remote attacker can reset the administrator password by only supplying the serial number and thus gain full control of the device. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Moneo Qha210 Firmware Moneo Qha200 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-46682 CRITICAL PATCH Act Now

Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Jenkins XXE Plot
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-3881 MEDIUM POC This Month

The WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log WordPress plugin before 3.43 does not have proper authorisation and CSRF in. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP WordPress Wptools
NVD WPScan
CVSS 3.1
5.7
EPSS
0.4%
CVE-2022-4005 MEDIUM POC This Month

The Donation Button WordPress plugin through 4.0.0 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Donation Button
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-3935 MEDIUM POC This Month

The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Welcart E Commerce
NVD WPScan
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-3934 MEDIUM POC This Month

The FlatPM WordPress plugin before 3.0.13 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Flat Pm
NVD WPScan
CVSS 3.1
5.4
EPSS
0.9%
CVE-2022-3933 MEDIUM POC This Month

The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Essential Real Estate
NVD WPScan
CVSS 3.1
5.4
EPSS
0.9%
CVE-2022-45970 MEDIUM POC This Month

Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Alist
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2022-45758 MEDIUM POC This Month

SENS v1.0 is vulnerable to Cross Site Scripting (XSS) via com.liuyanzhao.sens.web.controller.admin, getRegister. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Sens
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2022-4097 MEDIUM POC This Month

The All-In-One Security (AIOS) WordPress plugin before 5.0.8 is susceptible to IP Spoofing attacks, which can lead to bypassed security features (like IP blocks, rate limiting, brute force. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass WordPress All In One Security
NVD WPScan
CVSS 3.1
5.3
EPSS
0.6%
CVE-2022-45956 MEDIUM POC This Month

Boa Web Server versions 0.94.13 through 0.94.14 fail to validate the correct security constraint on the HEAD HTTP method allowing everyone to bypass the Basic Authorization mechanism. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Boa
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2022-42716 HIGH This Week

An issue was discovered in the Arm Mali GPU Kernel Driver. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Use After Free Memory Corruption Valhall Gpu Kernel Driver
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2022-4010 MEDIUM POC This Month

The Image Hover Effects WordPress plugin before 5.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Image Hover Effects
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy