CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47427 – WordPress My Calendar Plugin <= 3.3.24.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47427
03 Jan 2023 — The My Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.24.1. • https://patchstack.com/database/vulnerability/my-calendar/wordpress-my-calendar-plugin-3-3-24-1-cross-site-request-forgery-csrf? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46820 – WordPress Joli Table Of Contents Plugin <= 1.3.9 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-46820
03 Jan 2023 — The Joli Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.9. • https://patchstack.com/database/vulnerability/joli-table-of-contents/wordpress-joli-table-of-contents-plugin-1-3-9-cross-site-request-forgery-csrf-on-reset-settings? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2022-4017 – Booster for WooCommerce - Multiple CSRF
https://notcve.org/view.php?id=CVE-2022-4017
02 Jan 2023 — The Booster for WooCommerce WordPress plugin before 6.0.1, Booster Plus for WooCommerce WordPress plugin before 6.0.1, Booster Elite for WooCommerce WordPress plugin before 6.0.1 have either flawed CSRF checks or are missing them completely in numerous places, allowing attackers to make logged in users perform unwanted actions via CSRF attacks Las versiones del complemento Booster para WooCommerce de WordPress anteriores a la versión 6.0.1, así como las versiones anteriores a la ... • https://wpscan.com/vulnerability/609072d0-9bb9-4fe0-9626-7e4a334ca3a4 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 10EXPL: 2CVE-2022-0316 – Multiple themes - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-0316
29 Dec 2022 — The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordPress theme, club-theme WordPress theme, kingclub-theme WordPress theme, spikes WordPress theme, spikes-black WordPress theme, soundblast WordPress theme, bolster WordPress theme from ChimpStudio and PixFill does not have any authorisation and upload validation in the lang_upload.php file, allowing any unauthenticated attacker to u... • https://github.com/KTN1990/CVE-2022-0316_wordpress_multiple_themes_exploit • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-4693 – User Verification < 1.0.94 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2022-4693
28 Dec 2022 — The User Verification WordPress plugin before 1.0.94 was affected by an Auth Bypass security vulnerability. ... El complemento User Verification de WordPress anterior a la versión 1.0.94 se vio afectado por una vulnerabilidad de seguridad de Auth Bypass. ... The User Verification plugin for WordPress is vulnerable to authentication bypass. • https://lana.codes/lanavdb/eeabe1d3-6f64-400a-8fb2-0865efdf6957 • CWE-287: Improper Authentication CWE-522: Insufficiently Protected Credentials •
CVSS: 10.0EPSS: 17%CPEs: 1EXPL: 1CVE-2022-4305 – Login as User or Customer < 3.3 - Unauthenticated Privilege Escalation to Admin
https://notcve.org/view.php?id=CVE-2022-4305
27 Dec 2022 — The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. El complemento Login as User or Customer de WordPress en sus versiones anteriores a la 3.3 carece de controles de autorización para garantizar que los usuarios puedan iniciar sesión como otro, lo que podría permitir a atacantes no autenticados obtener una sesión de administrad... • https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd • CWE-285: Improper Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4383 – CBX Petition for WordPress <= 1.0.3 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4383
27 Dec 2022 — The CBX Petition for WordPress plugin through 1.0.3 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. Las versiones del complemento CBX Petition de WordPress hasta la versión 1.0.3 no sanitizan ni escapan adecuadamente un parámetro antes de usarlo en una declaración SQL a través de una acción AJAX disponible para usuarios no autenticados, lo que lleva a una inyección SQL. The C... • https://wpscan.com/vulnerability/e0fe5a53-8ae2-4b67-ac6e-4a8860e39035 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 40%CPEs: 1EXPL: 2CVE-2022-4060 – User Post Gallery <= 2.19 - Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2022-4060
26 Dec 2022 — The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it. El complemento User Post Gallery de WordPress hasta la versión 2.19 no limita las funciones de devolución de llamada que pueden invocar los usuarios, lo que permite a cualquier visitante ejecutar código en los sitios que lo ejecutan. The User Post Gallery - UPG plugin for WordPress is vulnerable to authoriz... • https://github.com/im-hanzou/UPGer • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47442 – WordPress UsersWP Plugin <= 1.2.3.9 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-47442
21 Dec 2022 — The UsersWP plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.2.3.9 via the process_users_export function. • https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-3-9-csv-injection? • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 10.0EPSS: 9%CPEs: 1EXPL: 1CVE-2022-4447 – Fontsy <= 1.8.6 - Multiple Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4447
21 Dec 2022 — The Fontsy WordPress plugin through 1.8.6 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. El complemento Fontsy de WordPress hasta la versión 1.8.6 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL a través de una acción AJAX disponible para usuarios no autenticados, lo que genera una inyección de SQL. The Fontsy plugin for WordPress