CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40692 – WordPress Sunshine Photo Cart Plugin <= 2.9.13 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-40692
02 Dec 2022 — The Sunshine Photo Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.13. • https://patchstack.com/database/vulnerability/sunshine-photo-cart/wordpress-sunshine-photo-cart-plugin-2-9-13-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45832 – WordPress Attorney theme <= 3 - Unauth.
https://notcve.org/view.php?id=CVE-2022-45832
01 Dec 2022 — The Attorney theme for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the hd_delete_index_page function hooked via admin_init in versions up to, and including, 3. • https://patchstack.com/database/vulnerability/attorney/wordpress-attorney-theme-3-unauth-arbitrary-content-deletion-vulnerability? • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3679 – Starter Templates by Kadence WP < 1.2.17 - Admin+ PHP Object Injection
https://notcve.org/view.php?id=CVE-2022-3679
01 Dec 2022 — The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. El complemento Starter Templates by Kadence WP de WordPress anterior a 1.2.17 deserializa el contenido de un archivo importado, lo que podría provocar problemas de inyección de objetos PHP cuando un administrador importa (in... • https://wpscan.com/vulnerability/ec4b9bf7-71d6-4528-9dd1-cc7779624760 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 1CVE-2022-4117 – IWS - Geo Form Fields <= 1.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4117
30 Nov 2022 — The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection. El complemento IWS de WordPress hasta la versión 1.0 no escapa correctamente un parámetro antes de usarlo en una declaración SQL a través de una acción AJAX disponible para usuarios no autenticados, lo que lleva a una inyección de SQL no autenticado. The IWS - Geo Form Fields plugin for <... • https://wpscan.com/vulnerability/1fac3eb4-13c0-442d-b27c-7b7736208193 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41616 – WordPress Export Users Data CSV Plugin <= 2.1 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-41616
30 Nov 2022 — The Export Users Data CSV plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 2.1. • https://patchstack.com/database/vulnerability/export-users-data-csv/wordpress-export-users-data-csv-plugin-2-1-auth-csv-injection-vulnerability? • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 10.0EPSS: 8%CPEs: 1EXPL: 1CVE-2022-4050 – JoomSport < 5.2.8 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4050
28 Nov 2022 — The JoomSport WordPress plugin before 5.2.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users El complemento JoomSport WordPress anterior a 5.2.8 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL, lo que genera una inyección de SQL explotable por usuarios no autenticados. The JoomSport plugin for WordPress is vulnerable to SQL Injection in versions up... • https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 2CVE-2022-4063 – InPost Gallery < 2.1.4.1 - Unauthenticated LFI to RCE
https://notcve.org/view.php?id=CVE-2022-4063
28 Nov 2022 — The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers. El complemento de WordPress InPost Gallery anterior a 2.1.4.1 utiliza de forma insegura la función extract() de PHP al representar vistas HTML, lo que permite a los atacantes forzar la inclusión de archivos y archivos maliciosos. ... The InPost Gallery Plugin for ... • https://github.com/im-hanzou/INPGer • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2022-4047 – Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-4047
25 Nov 2022 — The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE El complemento Return Refund and Exchange For WooCommerce de WordPress anterior a 4.0.9 no valida que los archivos adjuntos se carguen mediante una acción AJAX disponible para usuarios no autenticados, lo que podría permitirles cargar arch... • https://github.com/entroychang/CVE-2022-4047 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45846 – WordPress Image Map Pro Plugin < 5.6.9 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45846
23 Nov 2022 — Cross-Site Request Forgery (CSRF) vulnerability in Nickys Image Map Pro for WordPress - Interactive SVG Image Map Builder plugin < 5.6.9 versions. The Image Map Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.5.0. ... Cross-Site Request Forgery (CSRF) vulnerability in Nickys Image Map Pro for WordPress - Interactive SVG Image Map Builder plugin < 5.6.9 versions. • https://patchstack.com/database/vulnerability/image-map-pro-wordpress/wordpress-image-map-pro-premium-plugin-5-5-0-multiple-cross-site-request-forgery-csrf-vulnerabilities? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45359 – WordPress YITH WooCommerce Gift Cards Premium Plugin <= 3.19.0 is vulnerable to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-45359
22 Nov 2022 — Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress. Vulnerabilidad de carga de archivos arbitrarios no autorizadas en el complemento YITH WooCommerce Gift Cards premium en versiones <= 3.19.0 en WordPress. The Yith WooCommerce Gift Cards Premium plugin for WordPress is vulnerable to arbitrary file uploads due to missing... • https://patchstack.com/database/vulnerability/yith-woocommerce-gift-cards-premium/wordpress-yith-woocommerce-gift-cards-premium-plugin-3-19-0-unauth-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •