Export limit exceeded: 348522 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 348522 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45730 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45730 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-1156 | 1 Books \& Papers Project | 1 Books \& Papers | 2024-11-21 | 4.8 Medium |
| The Books & Papers WordPress plugin through 0.20210223 does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2022-1152 | 1 Menubar | 1 Menubar | 2024-11-21 | 5.4 Medium |
| The Menubar WordPress plugin before 5.8 does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting | ||||
| CVE-2022-1112 | 1 Autolinks Project | 1 Autolinks | 2024-11-21 | 5.4 Medium |
| The Autolinks WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, and does not sanitise as well as escape them, which could allow attackers to perform Stored Cross-Site scripting against a logged in admin via a CSRF attack | ||||
| CVE-2022-1104 | 1 Code-atlantic | 1 Popup Maker | 2024-11-21 | 4.8 Medium |
| The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2022-1102 | 1 Event Management System Project | 1 Event Management System | 2024-11-21 | 4.3 Medium |
| A vulnerability classified as problematic has been found in SourceCodester Royale Event Management System 1.0. Affected is an unknown function of the file /royal_event/companyprofile.php. The manipulation of the argument companyname/regno/companyaddress/companyemail leads to cross site scripting. It is possible to launch the attack remotely. VDB-195786 is the identifier assigned to this vulnerability. | ||||
| CVE-2022-1095 | 1 Mihdan\ | 1 No External Links Project | 2024-11-21 | 4.8 Medium |
| The Mihdan: No External Links WordPress plugin before 5.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2022-1093 | 1 Joomunited | 1 Wp Meta Seo | 2024-11-21 | 4.8 Medium |
| The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed. | ||||
| CVE-2022-1091 | 1 10up | 1 Safe Svg | 2024-11-21 | 6.1 Medium |
| The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks). | ||||
| CVE-2022-1090 | 1 Good-bad-comments Project | 1 Good-bad-comments | 2024-11-21 | 4.8 Medium |
| The Good & Bad Comments WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2022-1089 | 1 Wpsheeteditor | 1 Bulk Edit And Create User Profiles - Wp Sheet Editor | 2024-11-21 | 4.8 Medium |
| The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2022-1088 | 1 Contextureintl | 1 Page Security \& Membership | 2024-11-21 | 4.8 Medium |
| The Page Security & Membership WordPress plugin through 1.5.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2022-1063 | 1 Thank Me Later Project | 1 Thank Me Later | 2024-11-21 | 4.8 Medium |
| The Thank Me Later WordPress plugin through 3.3.4 does not sanitise and escape the Message Subject field before outputting it in the Messages list, which could allow high privileges users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2022-1062 | 1 Th23 | 1 Th23 Social | 2024-11-21 | 4.8 Medium |
| The th23 Social WordPress plugin through 1.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2022-1051 | 1 2code | 1 Wpqa Builder | 2024-11-21 | 5.4 Medium |
| The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks. | ||||
| CVE-2022-1047 | 1 Themify | 1 Post Type Builder Search Addon | 2024-11-21 | 6.1 Medium |
| The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability. | ||||
| CVE-2022-1046 | 1 Vfbpro | 1 Visual Form Builder | 2024-11-21 | 4.8 Medium |
| The Visual Form Builder WordPress plugin before 3.0.7 does not sanitise and escape the form's 'Email to' field , which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2022-1029 | 1 Miniorange | 1 Limit Login Attempts | 2024-11-21 | 4.8 Medium |
| The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | ||||
| CVE-2022-1028 | 1 Miniorange | 1 Wordpress Security | 2024-11-21 | 4.8 Medium |
| The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) | ||||
| CVE-2022-1027 | 1 Minioragne | 1 Page Restriction | 2024-11-21 | 4.8 Medium |
| The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users. | ||||
| CVE-2022-1022 | 1 Chatwoot | 1 Chatwoot | 2024-11-21 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chatwoot prior to 2.5.0. | ||||