Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023)

Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence Community Edition. This database is continuously updated, maintained, and populated by Wordfences highly credentialed and experienced...

CVE-2022-47770

Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection...

CVE-2022-47770

CVE-2022-47770 affects Serenissima Informatica Fast Checkin v1.0 and is due to an Unauthenticated SQL Injection vulnerability. The issue exposes high-severity impact across confidentiality, integrity, and availability (CVSS v3.1 base score 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Documented det...

VulnCheck KEV: CVE-2023-23488

The Paid Memberships Pro WordPress Plugin, version 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route...

CVE-2022-4297

The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-4059 Cryptocurrency Widgets Pack < 2.0 - Unauthenticated SQLi

The Cryptocurrency Widgets Pack WordPress plugin before 2.0 does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

CVE-2022-4117

The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-4117 IWS - Geo Form Fields <= 1.0 - Unauthenticated SQLi

The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-45822

Unauth. SQL Injection SQLi vulnerability in Advanced Booking Calendar plugin = 1.7.1 on WordPress...

Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection

The plugins do not escape the userid POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. POST /wp-admin/admin-ajax.php HTTP/1.1 Host:...

Eyes Of Network (EON) <= 5.3.11 Multiple Vulnerabilities

Eyes Of Network EON is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2022-2177

Kayrasoft product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2...

WordPress Youzify plugin <= 1.1.9 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Youzify plugin versions = 1.1.9. Solution Update the WordPress Youzify plugin to the latest available version at least 1.2.0...

CVE-2022-1453 RSVPMaker <= 9.2.5 - Unauthenticated SQL Injection

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from t...

CVE-2022-0771

The SiteSuperCharger WordPress plugin before 5.2.0 does not validate, sanitise and escape various user inputs before using them in SQL statements via AJAX actions available to both unauthenticated and authenticated users, leading to Unauthenticated SQL Injections...

Nirweb support < 2.8.2 - Unauthenticated SQLi

The plugin does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an SQL injection curl https://example.com/wp-admin/admin-ajax.php --data 'action=answerdticket&idform=1 UNION ALL SELECT NULL,NULL,SELECT userpa...

CVE-2022-0657

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0657

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0782

CVE-2022-0782 affects the WordPress Donations plugin (versions up to 1.8). The root cause is improper sanitisation/escaping of the nd_donations_id parameter, which is used unsafely in an SQL statement inside the unauthenticated AJAX action nd_donations_single_cause_form_validate_fields_php_functi...

WordPress Order Listener for WooCommerce plugin <= 3.2.1 - Unauthenticated SQL Injection (SQLi) vulnerability

Unauthenticated SQL Injection SQLi vulnerability discovered by cydave in WordPress Order Listener for WooCommerce plugin versions = 3.2.1. Solution Update the WordPress Order Listener for WooCommerce plugin to the latest available version at least 3.2.2...