Skip to main content
CVE-2022-4120 CRITICAL POC THREAT Act Now

The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Deserialization Stop Spammers
NVD WPScan
CVSS 3.1
9.8
EPSS
18.1%
CVE-2022-4117 CRITICAL POC Act Now

The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Iws Geo Form Fields
NVD WPScan
CVSS 3.1
9.8
EPSS
5.0%
CVE-2022-4047 CRITICAL POC Act Now

The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Information Disclosure Microsoft WordPress Return Refund And Exchange For Woocommerce
NVD WPScan
CVSS 3.1
9.8
EPSS
6.2%
CVE-2022-4158 HIGH POC This Week

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-4156 HIGH POC This Week

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-4268 HIGH POC This Week

The Plugin Logic WordPress plugin before 1.0.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi WordPress Plugin Logic
NVD WPScan
CVSS 3.1
7.2
EPSS
1.1%
CVE-2022-4266 MEDIUM POC This Month

The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Bulk Delete Users By Email
NVD WPScan
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-4239 MEDIUM POC This Month

The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure WordPress Workreap
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-4166 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4165 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4164 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4163 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4162 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4161 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4160 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4159 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4153 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4152 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4151 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-4150 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
6.5
EPSS
0.9%
CVE-2022-36664 MEDIUM POC This Month

Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Password Manager For Iis
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
3.8%
CVE-2022-4267 MEDIUM POC This Month

The Bulk Delete Users by Email WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Bulk Delete Users By Email
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-37310 MEDIUM POC This Month

OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Open Xchange Appsuite
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-37309 MEDIUM POC This Month

OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Open Xchange Appsuite
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-37308 MEDIUM POC This Month

OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Open Xchange Appsuite
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-37307 MEDIUM POC This Month

OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Open Xchange Appsuite
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-31469 MEDIUM POC This Month

OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Open Xchange Appsuite
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-4742 CRITICAL PATCH Act Now

A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Information Disclosure Prototype Pollution Json Pointer
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-26969 CRITICAL PATCH Act Now

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cors Misconfiguration Directus
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-24119 CRITICAL PATCH Act Now

Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Inet 900 Firmware Inet Ii 900 Firmware Sd1 Firmware Sd2 Firmware +4
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-24117 CRITICAL PATCH Act Now

Certain General Electric Renewable Energy products download firmware without an integrity check. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Inet 900 Firmware Inet Ii 900 Firmware Sd1 Firmware Sd2 Firmware +4
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2022-24116 CRITICAL PATCH Act Now

Certain General Electric Renewable Energy products have inadequate encryption strength. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Inet 900 Firmware Inet Ii 900 Firmware Sd1 Firmware Sd2 Firmware +4
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2022-37313 MEDIUM POC This Month

OX App Suite through 7.10.6 allows SSRF because the anti-SSRF protection mechanism only checks the first DNS AA or AAAA record. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Open Xchange Appsuite
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2022-37312 MEDIUM POC This Month

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Open Xchange Appsuite
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2022-37311 MEDIUM POC This Month

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large location request parameter to the redirect servlet. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Open Xchange Appsuite
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2022-24118 CRITICAL PATCH Act Now

Certain General Electric Renewable Energy products allow attackers to use a code to trigger a reboot into the factory default configuration. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Inet 900 Firmware Inet Ii 900 Firmware Sd1 Firmware Sd2 Firmware +4
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2022-4157 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
4.9
EPSS
0.9%
CVE-2022-4155 MEDIUM POC This Month

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
4.9
EPSS
0.8%
CVE-2022-4154 MEDIUM POC This Month

The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress Contest Gallery
NVD WPScan
CVSS 3.1
4.9
EPSS
0.9%
CVE-2022-4243 MEDIUM POC This Month

The ImageInject WordPress plugin through 1.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Imageinject
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-4242 MEDIUM POC This Month

The WP Google Review Slider WordPress plugin before 11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google WordPress XSS Wp Google Review Slider
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-4226 MEDIUM POC This Month

The Simple Basic Contact Form WordPress plugin before 20221201 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Simple Basic Contact Form
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-4197 MEDIUM POC This Month

The Sliderby10Web WordPress plugin before 1.2.53 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Slider
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-4110 MEDIUM POC This Month

The Eventify™ WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Eventify
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-4042 MEDIUM POC This Month

The Paytium: Mollie payment forms & donations WordPress plugin before 4.3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Paytium
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-3840 MEDIUM POC This Month

The Login for Google Apps WordPress plugin before 3.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Google WordPress XSS Login For Google Apps
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-3835 MEDIUM POC This Month

The Kwayy HTML Sitemap WordPress plugin before 4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Kwayy Html Sitemap
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2022-30260 HIGH This Week

Emerson DeltaV Distributed Control System (DCS) has insufficient verification of firmware integrity (an inadequate checksum approach, and no signature). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Deltav Distributed Control System Sq Controller Firmware Deltav Distributed Control System Sx Controller Firmware Se4002S1T2B6 High Side 40 Pin Mass I O Terminal Block Firmware Se4003S2B4 16 Pin Mass I O Terminal Block Firmware +20
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2022-26964 HIGH This Week

Weak password derivation for export in Devolutions Remote Desktop Manager before 2022.1 allows information disclosure via a password brute-force attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Remote Desktop Manager
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2022-4227 MEDIUM This Month

The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Booster Elite For Woocommerce Booster For Woocommerce Booster Plus For Woocommerce
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy