CVE-2022-25576

Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery CSRF via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts...

CVE-2022-46814

Cross-Site Request Forgery CSRF vulnerability in Pierre Lebedel Kodex Posts likes plugin = 2.4.3 versions...

CVE-2022-28422

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php=edit...

CVE-2022-2535

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink...

CVE-2022-41612

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Shareaholic Similar Posts plugin = 3.1.6 versions...

CVE-2022-4680

The Revive Old Posts WordPress plugin before 9.0.11 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present...

CVE-2022-43468

External initialization of trusted variables or data stores vulnerability exists in WordPress Popular Posts 6.0.5 and earlier, therefore the vulnerable product accepts untrusted external inputs to update certain internal variables. As a result, the number of views for an article may be manipulate...

CVE-2022-1779

The Auto Delete Posts WordPress plugin through 1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and delete specific posts, categories and attachments at once...

CVE-2022-1239

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the editposts capability by default contributor and above to perform SSRF attacks...

CVE-2022-4024

The Registration Forms WordPress plugin before 3.8.1.3 does not have authorisation and CSRF when deleting users via an init action handler, allowing unauthenticated attackers to delete arbitrary users along with their posts...

CVE-2022-28423

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/posts.php=delete...

CVE-2022-1387

The No Future Posts WordPress plugin through 1.4 does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed...

CVE-2022-44738

Improper Neutralization of Formula Elements in a CSV File vulnerability in Patrick Robrecht Posts and Users Stats.This issue affects Posts and Users Stats: from n/a through 1.1.3...

CVE-2022-2223

The WordPress plugin Image Slider is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1.121 due to failure to properly check for the existence of a nonce in the function ewicduplicateslider. This make it possible for unauthenticated attackers to duplicate existing posts...

CVE-2022-46818

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Gopi Ramasamy Email posts to subscribers allows SQL Injection.This issue affects Email posts to subscribers: from n/a through 6.2...

CVE-2021-24840

The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the queryvars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a result, private and scheduled posts could be retrieved via a crafted request...

CVE-2021-24868

The Document Embedder WordPress plugin before 1.7.9 contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts...

CVE-2021-24881

The Passster WordPress plugin before 3.5.5.9 does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by the plugin, and access arbitrary posts such as private content, by sending a specifically crafted...

CVE-2021-24948

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tpgetdlpostinfoajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts...

CVE-2021-20746

Cross-site scripting vulnerability in WordPress Popular Posts 5.3.2 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors...