CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2381 – E Unlocked - Student Result <= 1.0.4 - Arbitrary File Upload via CSRF
https://notcve.org/view.php?id=CVE-2022-2381
19 Jul 2022 — The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack El plugin E Unlocked - Student Result de WordPress versiones hasta 1.0.4, carece de CSRF y comprobación cuando es cargado el logo de la Escuela, lo que podría permitir a atacantes hacer que un administrador conectado cargue archivos arbitrarios, como PHP por medio... • https://wpscan.com/vulnerability/c39c41bf-f622-4239-a0a1-4dfe0e079f7f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34839 – WordPress WP OAuth2 Server plugin <= 1.0.1 - Authentication Bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-34839
18 Jul 2022 — Authentication Bypass vulnerability in CodexShaper's WP OAuth2 Server plugin <= 1.0.1 at WordPress. Vulnerabilidad de Omisión de Autenticación en el plugin WP OAuth2 Server de CodexShaper versiones anteriores a 1.0.1 incluyéndola, en WordPress The WP OAuth2 Server plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.1. • https://patchstack.com/database/vulnerability/oauth2-server/wordpress-wp-oauth2-server-plugin-1-0-1-authentication-bypass-vulnerability • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2460 – WPDating < 7.4.0 - Multiple Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-2460
18 Jul 2022 — The WPDating WordPress plugin before 7.4.0 does not properly escape user input before concatenating it to certain SQL queries, leading to multiple SQL injection vulnerabilities exploitable by unauthenticated users El plugin WPDating de WordPress versiones hasta 7.1.9, no escapa apropiadamente la entrada del usuario antes de concatenarla con determinadas consultas SQL, conllevando a múltiples vulnerabilidades de inyección SQL The WPDating plugin for WordPress is vulnerable to SQL Injecti... • https://wpscan.com/vulnerability/694b6dfd-2424-41b4-8595-b6c305c390db • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-2594 – Advanced Custom Fields 5.0-5.12.2 - Unauthenticated File Upload
https://notcve.org/view.php?id=CVE-2022-2594
14 Jul 2022 — The Advanced Custom Fields WordPress plugin before 5.12.3, Advanced Custom Fields Pro WordPress plugin before 5.12.3 allows unauthenticated users to upload files allowed in a default WP configuration (so PHP is not possible) if there is a frontend form available. ... El plugin Advanced Custom Fields de WordPress versiones anteriores a 5.12.3, Advanced Custom Fields Pro WordPress plugin versiones anteriores a 5.12.3 permite a usuarios no autenticados subir archivos permitidos en u... • https://wpscan.com/vulnerability/3fde5336-552c-4861-8b4d-89a16735c0e2 • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1950 – Youzify < 1.2.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-1950
13 Jul 2022 — The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection El plugin Youzify de WordPress versiones anteriores a 1.2.0, no sanea y escapa de un parámetro antes de usarlo en una sentencia SQL por medio de una acción AJAX disponible para usuarios no autenticados, conllevando a una inyección SQL no autenticada The Youzify Plugin for WordP... • https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2269 – Website File Changes Monitor < 1.8.3 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2022-2269
13 Jul 2022 — The Website File Changes Monitor WordPress plugin before 1.8.3 does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manage_options capability (by default admins), leading to an SQL injection El plugin Website File Changes Monitor de WordPress versiones anteriores a 1.8.3, no sanea y escapa de la entrada del usuario antes de usarla en una sentencia SQL por medio de una acción disponible para usuarios con la capacidad manage_options... • https://wpscan.com/vulnerability/bb348c92-d7e3-4a75-98aa-dd1c463bfd65 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2437 – Feed Them Social – for Twitter feed, Youtube and more <= 2.9.8.5 - Unauthenticated PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-2437
12 Jul 2022 — The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. ... El plugin Feed Them Social - for Twitter feed, Youtube and more para WordPress es vulnerable a una deserialización de entradas no confiables por medio del parámetro "fts_url" en versiones hasta la 2.9.8.5 incluyéndola. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2754749%40feed-them-social&new=2754749%40feed-them-social&sfp_email=&sfph_mail= • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2245 – Counter Box < 1.2.1 - Arbitrary Counter Activation/Deactivation via CSRF
https://notcve.org/view.php?id=CVE-2022-2245
08 Jul 2022 — The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks El plugin Counter Box de WordPress versiones anteriores a 1.2.1, carece de una comprobación de tipo CSRF cuando son activados y desactivados los contadores, lo que podría permitir a atacantes hacer que un administrador conectado lleve a cabo tales acciones por medio de ataques de tipo CSRF • https://wpscan.com/vulnerability/33705003-1f82-4b0c-9b4b-d4de75da309c • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2022-33965 – WordPress WP Visitor Statistics plugin <= 5.7 - Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-33965
06 Jul 2022 — Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plugin <= 5.7 at WordPress. Múltiples vulnerabilidades de inyección SQL no autenticada (SQLi) en el plugin Osamaesh WP Visitor Statistics versiones anteriores a 5.7 incluyéndola, en WordPress The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to SQL Injection via the 'refUrl' parameter in versions up to, and including, 5.7 due to insufficient escaping on the user... • https://patchstack.com/database/vulnerability/wp-stats-manager/wordpress-wp-visitor-statistics-plugin-5-7-multiple-unauthenticated-sql-injection-sqli-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2317 – Simple Membership < 4.1.3 - Unauthenticated Membership Privilege Escalation
https://notcve.org/view.php?id=CVE-2022-2317
06 Jul 2022 — The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter. El plugin Simple Membership de WordPress versiones anteriores a 4.1.3, permite al usuario cambiar su membresía en la etapa de registro debido a una comprobación insuficiente de un parámetro suministrado por el usuario The Simple Membership plugin for WordPress is vulnerable to membership related privilege escalati... • https://wpscan.com/vulnerability/77b7ca19-294c-4480-8f57-6fddfc67fffb • CWE-269: Improper Privilege Management •