CVE's - CVE Vulnerability

CVE

Vendors

Products

Updated

CVSS v2

CVSS v3

CVE-2022-0446

2022-08-23

N/A

4.8 MEDIUM

The Simple Banner WordPress plugin before 2.12.0 does not properly sanitize its "Simple Banner Text" Settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-0445

Devowl, Wordpress Real Cookie Banner

Real_media_library, Wordpress_real_cookie_banner, Wordpress_real_media_library

2022-03-11

N/A

6.5 MEDIUM

The WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent WordPress plugin before 2.14.2 does not have CSRF checks in place when resetting its settings, allowing attackers to make a logged in admin reset them via a CSRF attack

CVE-2022-0444

2022-07-07

N/A

4.3 MEDIUM

The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.

CVE-2022-0443

2022-12-13

N/A

7.8 HIGH

Use After Free in GitHub repository vim/vim prior to 8.2.

CVE-2022-0442

2022-03-11

N/A

4.3 MEDIUM

The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar.

CVE-2022-0441

2022-03-11

N/A

9.8 CRITICAL

The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin

CVE-2022-0440

2022-04-12

N/A

7.2 HIGH

The Catch Themes Demo Import WordPress plugin before 2.1.1 does not validate one of the file to be imported, which could allow high privivilege admin to upload an arbitrary PHP file and gain RCE even in the case of an hardened blog (ie DISALLOW_UNFILTERED_HTML, DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS constants set to true)

CVE-2022-0439

2022-03-11

N/A

8.8 HIGH

The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.

CVE-2022-0437

2022-02-10

N/A

6.1 MEDIUM

Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14.

CVE-2022-0436

2022-04-20

N/A

5.5 MEDIUM

Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.

« Previous 1 … 11,052 11,053 11,054 11,055 11,056 … 11,258 Next »