High
CVE-2023-0136
Inappropriate implementation in in Fullscreen API in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to execute incorrect security UI via a crafted HTML page. (Chromium secu…
Read moreUncategorized 2023
Page 24/24.
CVEs without a recognized CWE (not present in the CWE map or marked as N/A).
CVSS ≥ 0.0
2023-01-10
Medium
CVE-2023-0162
The CPO Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its content type settings parameters in versions up to, and including, 1.0.4 due to insufficient inp…
Read moreMedium
CVE-2022-4711
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_mega_menu_settings' AJAX action in versions up to, and including, 1.3.59. This allows any…
Read moreMedium
CVE-2022-4710
The Royal Elementor Addons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.3.59, due to due to insufficient input sanitization and output esca…
Read moreMedium
CVE-2022-4709
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_library_template' AJAX action in versions up to, and including, 1.3.59. This allows any…
Read moreMedium
CVE-2022-4708
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_save_template_conditions' AJAX action in versions up to, and including, 1.3.59. This allows an…
Read moreMedium
CVE-2022-4707
The Royal Elementor Addons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.59. This is due to missing nonce validation in the 'wpr_create_mega_m…
Read moreMedium
CVE-2022-4705
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_final_settings_setup' AJAX action in versions up to, and including, 1.3.59. This allows any au…
Read moreMedium
CVE-2022-4704
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_import_templates_kit' AJAX action in versions up to, and including, 1.3.59. This allows any au…
Read moreMedium
CVE-2022-4703
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_reset_previous_import' AJAX action in versions up to, and including, 1.3.59. This allows any a…
Read moreMedium
CVE-2022-4702
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_fix_royal_compatibility' AJAX action in versions up to, and including, 1.3.59. This allows any…
Read moreMedium
CVE-2022-4701
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_plugins' AJAX action in versions up to, and including, 1.3.59. This allows a…
Read moreMedium
CVE-2022-4700
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpr_activate_required_theme' AJAX action in versions up to, and including, 1.3.59. This allows any…
Read moreMedium
CVE-2016-15017
A vulnerability has been found in fabarea media_upload on TYPO3 and classified as critical. This vulnerability affects the function getUploadedFileList of the file Classes/Service/UploadFileService.p…
Read moreMedium
CVE-2023-22909
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. SpecialMobileHistory allows remote attackers to cause a denial of service because da…
Read more2023-01-09
Medium
CVE-2022-4497
The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contri…
Read moreMedium
CVE-2022-4491
The WP-Table Reloaded WordPress plugin through 1.9.4 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low…
Read moreMedium
CVE-2022-4479
The Table of Contents Plus WordPress plugin before 2212 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as l…
Read moreMedium
CVE-2022-4468
The WP Recipe Maker WordPress plugin before 8.6.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as…
Read moreMedium
CVE-2022-4426
The Mautic Integration for WooCommerce WordPress plugin before 1.0.3 does not have proper CSRF check when updating settings, and does not ensure that the options to be updated belong to the plugin, a…
Read moreMedium
CVE-2022-4394
The iPages Flipbook For WordPress plugin through 1.4.6 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks e…
Read moreMedium
CVE-2022-4392
The iPanorama 360 WordPress Virtual Tour Builder plugin through 1.6.29 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scr…
Read moreMedium
CVE-2022-4391
The Vision Interactive For WordPress plugin through 1.5.3 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attack…
Read moreMedium
CVE-2022-4374
The Bg Bible References WordPress plugin through 3.8.14 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
Read moreMedium
CVE-2022-4368
The WP CSV WordPress plugin through 1.8.0.0 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, and doe snot have CSRF checks in place as well, leadin…
Read moreMedium
CVE-2022-4325
The Post Status Notifier Lite WordPress plugin before 1.10.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be u…
Read moreMedium
CVE-2022-4310
The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting att…
Read moreMedium
CVE-2022-4301
The Sunshine Photo Cart WordPress plugin before 2.9.15 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
Read moreMedium
CVE-2022-4196
The Multi Step Form WordPress plugin before 1.7.8 does not sanitise and escape some of its form fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting att…
Read moreHigh
CVE-2022-4043
The WP Custom Admin Interface WordPress plugin before 7.29 unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when…
Read moreMedium
CVE-2022-3855
The 404 to Start WordPress plugin through 1.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks…
Read moreHigh
CVE-2022-3679
The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or…
Read moreHigh
CVE-2022-3417
The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicio…
Read moreHigh
CVE-2022-3416
The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should…
Read moreLow
CVE-2022-3343
The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer Discy WordPress themes) incorrectly tries to validate that a user already follows another in the…
Read more2023-01-08
Medium
CVE-2015-10030
A vulnerability has been found in SUKOHI Surpass and classified as critical. This vulnerability affects unknown code of the file src/Sukohi/Surpass/Surpass.php. The manipulation of the argument dir l…
Read more2023-01-05
Medium
CVE-2023-0087
The Swifty Page Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘spm_plugin_options_page_tree_max_width’ parameter in versions up to, and including, 3.0.1 due to ins…
Read moreMedium
CVE-2023-0086
The JetWidgets for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.12. This is due to missing nonce validation on the save() function.…
Read moreMedium
CVE-2023-0077
Integer overflow or wraparound vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to overflow buffers via unspecified vectors.
Read moreHigh
CVE-2022-43932
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3…
Read moreHigh
CVE-2022-44535
A vulnerability in the Aruba EdgeConnect Enterprise Orchestrator web-based management interface allows remote low-privileged authenticated users to escalate their privileges to those of an administra…
Read moreHigh
CVE-2022-44534
A vulnerability in the Aruba EdgeConnect Enterprise Orchestrator web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploi…
Read moreMedium
CVE-2023-22622
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not rece…
Read more2023-01-04
Medium
CVE-2022-43920
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 could allow an authenticated user to gain privileges in a different group due to an access control vulnerability in the Sftp serve…
Read moreMedium
CVE-2021-38928
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive inf…
Read more2023-01-03
High
CVE-2023-0038
The "Survey Maker – Best WordPress Survey Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via survey answers in versions up to, and including, 3.1.3 due to insufficient inpu…
Read moreCritical
CVE-2022-43931
Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified ve…
Read more2023-01-02
High
CVE-2021-30558
Insufficient policy enforcement in content security policy in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chrome security…
Read moreMedium
CVE-2022-4417
The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 9.3.3 does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow atta…
Read moreMedium
CVE-2022-4381
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scr…
Read moreHigh
CVE-2022-4373
The Quote-O-Matic WordPress plugin through 1.0.5 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users s…
Read moreHigh
CVE-2022-4372
The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users suc…
Read moreHigh
CVE-2022-4371
The Web Invoice WordPress plugin through 2.1.3 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL Injection exploitable by high privilege users suc…
Read moreHigh
CVE-2022-4370
The multimedial images WordPress plugin through 1.0b does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role…
Read moreMedium
CVE-2022-4362
The Popup Maker WordPress plugin before 1.16.9 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scr…
Read moreHigh
CVE-2022-4359
The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege us…
Read moreHigh
CVE-2022-4358
The WP RSS By Publishers WordPress plugin through 0.1 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege us…
Read moreCritical
CVE-2022-4357
The LetsRecover WordPress plugin before 1.2.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a…
Read moreHigh
CVE-2022-4356
The LetsRecover WordPress plugin before 1.2.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such…
Read moreHigh
CVE-2022-4355
The LetsRecover WordPress plugin before 1.2.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such…
Read moreHigh
CVE-2022-4352
The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users s…
Read moreHigh
CVE-2022-4351
The Qe SEO Handyman WordPress plugin through 1.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users s…
Read moreMedium
CVE-2022-4340
The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any boo…
Read moreMedium
CVE-2022-4329
The Product list Widget for Woocommerce WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which…
Read moreHigh
CVE-2022-4324
The Custom Field Template WordPress plugin before 2.5.8 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally…
Read moreHigh
CVE-2022-4302
The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable…
Read moreCritical
CVE-2022-4298
The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to downl…
Read moreCritical
CVE-2022-4297
The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an una…
Read moreMedium
CVE-2022-4260
The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even w…
Read moreMedium
CVE-2022-4256
The All-in-One Addons for Elementor WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site…
Read moreHigh
CVE-2022-4237
The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could…
Read moreMedium
CVE-2022-4200
The Login with Cognito WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting at…
Read moreMedium
CVE-2022-4198
The WP Social Sharing WordPress plugin through 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attac…
Read moreMedium
CVE-2022-4142
The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does not properly escape the filters passed in the ufg_gallery_filters ajax action before outputting them on the page, allowing a hig…
Read moreHigh
CVE-2022-4140
The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files o…
Read moreMedium
CVE-2022-4119
The Image Optimizer, Resizer and CDN WordPress plugin before 6.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site…
Read moreMedium
CVE-2022-4114
The Superio WordPress theme does not sanitise and escape some parameters, which could allow users with a role as low as a subscriber to perform Cross-Site Scripting attacks.
Read moreLow
CVE-2022-4109
The Wholesale Market for WooCommerce WordPress plugin before 2.0.0 does not validate user input against path traversal attacks, allowing high privilege users such as admin to download arbitrary logs…
Read moreCritical
CVE-2022-4099
The Joy Of Text Lite WordPress plugin before 2.3.1 does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenti…
Read moreCritical
CVE-2022-4049
The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
Read moreMedium
CVE-2022-3994
The Authenticator WordPress plugin before 1.3.1 does not prevent subscribers from updating a site's feed access token, which may deny other users access to the functionality in certain configurations.
Read moreMedium
CVE-2022-3936
The Team Members WordPress plugin before 5.2.1 does not sanitize and escapes some of its settings, which could allow high-privilege users such as editors to perform Stored Cross-Site Scripting attack…
Read moreHigh
CVE-2022-3860
The Visual Email Designer for WooCommerce WordPress plugin before 1.7.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by…
Read moreCritical
CVE-2022-3241
The Build App Online WordPress plugin before 1.0.19 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, l…
Read more2023-01-01
High
CVE-2023-22551
The FTP (aka "Implementation of a simple FTP client and server") project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such…
Read more