CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3417 – WPtouch < 4.3.45 - Admin+ PHP Object Injection
https://notcve.org/view.php?id=CVE-2022-3417
19 Dec 2022 — The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog. El complemento WPtouch de WordPress anterior a 4.3.45 deserializa el contenido de un archivo de configuración importado, lo que podría provocar problemas de inyecciones de objetos PHP cuando un usuario importa (intencionalmente o ... • https://wpscan.com/vulnerability/55772932-eebd-475b-b5df-e80fab288ee5 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46859 – WordPress Spiffy Calendar Plugin <= 4.9.1 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2022-46859
16 Dec 2022 — The Spiffy Calendar plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter among others in versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/spiffy-calendar/wordpress-spiffy-calendar-plugin-4-9-1-auth-sql-injection-sqli-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46862 – WordPress Quiz And Survey Master Plugin <= 8.0.7 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-46862
16 Dec 2022 — Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.7 versions. The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.7. ... Cross-Site Request Forgery (CSRF) vulnerability in ExpressTech Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin <= 8.0.7 versions. • https://patchstack.com/database/vulnerability/quiz-master-next/wordpress-quiz-and-survey-master-plugin-8-0-7-cross-site-request-forgery-csrf? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0088 – Swifty Page Manager <= 3.0.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-0088
14 Dec 2022 — The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. • https://plugins.trac.wordpress.org/browser/swifty-page-manager/trunk/swifty-page-manager.php?rev=1555394#L994 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44588 – WordPress Cryptocurrency Widgets Pack Plugin <=1.8.1 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2022-44588
13 Dec 2022 — SQL Injection vulnerability in Cryptocurrency Widgets Pack Plugin <=1.8.1 on WordPress. SQL Injection vulnerability in Cryptocurrency Widgets Pack Plugin <=1.8.1 on WordPress. Vulnerabilidad de inyección SQL no autorizada en el complemento Cryptocurrency Widgets Pack Plugin en versiones <=1.8.1 en WordPress. The Cryptocurrency Widgets Pack plugin for WordPress is vulnerable to generic SQL Injection via an unknown parameter in versions up to, and including, 1.8.1 due to insuffi... • https://patchstack.com/database/vulnerability/cryptocurrency-widgets-pack/wordpress-cryptocurrency-widgets-pack-plugin-1-8-1-sql-injection-sqli-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 2CVE-2022-4297 – WP AutoComplete Search <= 1.0.4 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4297
12 Dec 2022 — The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection El complemento WP AutoComplete Search de WordPress hasta la versión 1.0.4 no sanitiza ni escapa un parámetro antes de usarlo en una declaración SQL a través de un AJAX disponible para usuarios no autenticados, lo que lleva a una inyección SQL no autenticado. The WP AutoCo... • http://packetstormsecurity.com/files/173293/WordPress-WP-AutoComplete-Search-1.0.4-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4298 – Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download
https://notcve.org/view.php?id=CVE-2022-4298
12 Dec 2022 — The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. El complemento Wholesale Market de WordPress anterior a 2.2.1 no tiene verificación de autorización y tampoco valida la entrada del usuario utilizada para generar la ruta del sistema, lo que permite a atacantes no autenticados descargar archivos arbitrarios desde... • https://wpscan.com/vulnerability/7485ad23-6ea4-4018-88b1-174312a0a478 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4357 – LetsRecover < 1.2.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4357
12 Dec 2022 — The LetsRecover WordPress plugin before 1.2.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. El complemento LetsRecover de WordPress anterior a 1.2.0 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL a través de una acción AJAX disponible para usuarios no autenticados, lo que genera una inyección de SQL. The LetsRecover plugin for Wor... • https://bulletin.iese.de/post/letsrecover-woocommerce-abandoned-cart_1-1-0_1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46815 – WordPress Conditional Shipping for WooCommerce Plugin <= 2.3.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-46815
12 Dec 2022 — The Conditional Shipping for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.1. • https://patchstack.com/database/vulnerability/conditional-shipping-for-woocommerce/wordpress-conditional-shipping-for-woocommerce-plugin-2-3-1-cross-site-request-forgery-csrf? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46854 – WordPress Launchpad – Coming Soon & Maintenance Mode Plugin Plugin <= 1.0.13 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-46854
12 Dec 2022 — The Launchapd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.13. • https://patchstack.com/database/vulnerability/launchpad-by-obox/wordpress-launchpad-plugin-1-0-13-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •