Lucene search
K

12 matches found

RedhatCVE
RedhatCVE
added 2026/01/09 10:45 a.m.6 views

CVE-2022-0429

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability...

6.1CVSS6AI score0.01378EPSS
Exploits2References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-25072

Malicious code in bioql PyPI...

5.4CVSS5.5AI score0.00292EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/23 9:49 a.m.6 views

CVE-2024-7687

The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6.1CVSS5.8AI score0.00172EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 6:37 a.m.8 views

CVE-2024-6017

The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6.1CVSS5.6AI score0.00177EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 10:12 p.m.6 views

CVE-2022-1818

The Multi-page Toolkit WordPress plugin through 2.6 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well...

5.4CVSS6AI score0.00292EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/22 9:3 p.m.7 views

CVE-2021-24555

The daacdeletebookingcallback function, hooked to the daacdeletebooking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and...

8.8CVSS7.8AI score0.00821EPSS
Exploits2References1
NVD
NVD
added 2025/02/04 6:15 a.m.15 views

CVE-2024-13115

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

6.1CVSS0.00173EPSS
Exploits1References1
Prion
Prion
added 2024/01/16 4:15 p.m.14 views

Cross site request forgery (csrf)

The Coru LFMember WordPress plugin through 1.0.2 does not have CSRF check in place when adding a new game, and is lacking sanitisation as well as escaping in their settings, allowing attacker to make a logged in admin add an arbitrary game with XSS payloads...

5.8CVSS6.3AI score0.00266EPSS
Exploits2References1Affected Software1
OSV
OSV
added 2022/11/21 11:15 a.m.4 views

CVE-2022-0421

The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a payment was successful or failed, allowing unauthenticated users to change the payment status of arbitrary bookings. Furthermore, due to the lack of sanitisation and escaping,...

6.1CVSS5.9AI score0.00528EPSS
Exploits1References1
WPVulnDB
WPVulnDB
added 2022/09/08 12:0 a.m.20 views

Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS

The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks...

5.4CVSS2.1AI score0.00381EPSS
Exploits2Affected Software1
ATTACKERKB
ATTACKERKB
added 2022/06/20 11:15 a.m.5 views

CVE-2022-1829

The Inline Google Maps WordPress plugin through 5.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping...

6.5CVSS6.6AI score0.00513EPSS
Exploits2References2
WPVulnDB
WPVulnDB
added 2022/05/31 12:0 a.m.16 views

WP Sentry <= 1.0 - Arbitrary Settings Update to Stored XSS via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping as well PoC...

4.3CVSS3.7AI score0.00412EPSS
Exploits2Affected Software1
Rows per page
Query Builder