CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22674 – WordPress Dashicons + Custom Post Types Plugin <= 1.0.2 is vulnerable to Broken Access Control
https://notcve.org/view.php?id=CVE-2023-22674
13 Jan 2023 — The Dashicons + Custom Post Types plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on an unknown function in versions up to, and including, 1.0.2. • https://patchstack.com/database/vulnerability/dashicons-cpt/wordpress-dashicons-custom-post-types-plugin-1-0-2-broken-access-control? • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22678 – WordPress Superior FAQ Plugin <= 1.0.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-22678
13 Jan 2023 — The Superior FAQ plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. • https://patchstack.com/database/vulnerability/superior-faq/wordpress-superior-faq-plugin-1-0-2-cross-site-request-forgery-csrf? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 27%CPEs: 1EXPL: 4CVE-2023-23488 – Paid Memberships Pro < 2.9.8 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2023-23488
12 Jan 2023 — The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route. The Paid Memberships Pro plugin for WordPress is vulnerable to SQL injection in versions before 2.9.8 via the 'code' parameter in the /pmpro/v1/order REST route. ... WordPress Paid Memberships Pro plugin version 2.9.8 suffers from a remote SQL injection vulnerability. • http://packetstormsecurity.com/files/171661/WordPress-Paid-Memberships-Pro-2.9.8-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 10%CPEs: 1EXPL: 1CVE-2023-23489 – Easy Digital Downloads < 3.1.0.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2023-23489
12 Jan 2023 — The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action. The Easy Digital Downloads plugin for WordPress is vulnerable to SQL Injection in versions before 3.1.0.4 via the 's' parameter used in the 'edd_download_search' AJAX action. • https://www.tenable.com/security/research/tra-2023-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 2CVE-2022-4681 – Hide My WP < 6.2.9 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4681
11 Jan 2023 — The Hide My WP WordPress plugin before 6.2.9 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. The Hide My WP plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in versions up to, but not including, 6.2.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ... WordPress Hide M... • https://www.exploit-db.com/exploits/51871 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23712 – WordPress User Meta Manager Plugin <= 3.4.9 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-23712
10 Jan 2023 — The User Meta Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.9. • https://patchstack.com/database/vulnerability/user-meta-manager/wordpress-user-meta-manager-plugin-3-4-9-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45067 – WordPress Exclusive Addons Elementor Plugin <= 2.6.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45067
07 Jan 2023 — The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.1. • https://patchstack.com/database/vulnerability/exclusive-addons-for-elementor/wordpress-exclusive-addons-for-elementor-plugin-2-6-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47159 – WordPress Logaster Logo Generator Plugin <= 1.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47159
04 Jan 2023 — The Logaster Logo Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3. • https://patchstack.com/database/vulnerability/logaster-logo-generator/wordpress-logaster-logo-generator-plugin-1-3-cross-site-request-forgery-csrf? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47440 – WordPress My Tickets Plugin <= 1.9.10 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47440
04 Jan 2023 — The My Tickets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.10. • https://patchstack.com/database/vulnerability/my-tickets/wordpress-my-tickets-plugin-1-9-10-cross-site-request-forgery-csrf? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 5%CPEs: 1EXPL: 3CVE-2022-4395 – Membership For WooCommerce < 2.1.7 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-4395
04 Jan 2023 — The Membership For WooCommerce WordPress plugin before 2.1.7 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE. The Membership For WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 2.1.6. • https://www.exploit-db.com/exploits/51959 • CWE-434: Unrestricted Upload of File with Dangerous Type •