Total
6079 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-40131 | 1 A3rev | 1 Page View Count | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in a3rev Software Page View Count plugin <= 2.5.5 on WordPress allows an attacker to reset the plugin settings. | |||||
| CVE-2022-40128 | 1 Algolplus | 1 Advanced Order Export For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download. | |||||
| CVE-2022-3999 | 1 Dpdgroup | 1 Woocommerce Shipping | 2024-11-21 | N/A | 8.1 HIGH |
| The DPD Baltic Shipping WordPress plugin before 1.2.57 does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable. | |||||
| CVE-2022-3978 | 1 Nodebb | 1 Nodebb | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in NodeBB up to 2.5.7. This affects an unknown part of the file /register/abort. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.5.8 is able to address this issue. The name of the patch is 2f9d8c350e54543f608d3d4c8e1a49bbb6cdea38. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-213555. | |||||
| CVE-2022-3946 | 1 Collne | 1 Welcart E-commerce | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods. | |||||
| CVE-2022-3926 | 1 Wp-oauth | 1 Wp Oauth Server | 2024-11-21 | N/A | 6.5 MEDIUM |
| The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID | |||||
| CVE-2022-3899 | 1 3dprint Project | 1 3dprint | 2024-11-21 | N/A | 8.1 HIGH |
| The 3dprint WordPress plugin before 3.5.6.9 does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will delete any number of files or directories on the target server by tricking a logged in admin into submitting a form. | |||||
| CVE-2022-3898 | 1 Wp Affiliate Platform Project | 1 Wp Affiliate Platform | 2024-11-21 | N/A | 8.8 HIGH |
| The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for unauthenticated attackers to delete affiliate records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-3883 | 1 Stopbadbots Project | 1 Stopbadbots | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | |||||
| CVE-2022-3882 | 1 Wp-memory Project | 1 Wp-memory | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Memory Usage, Memory Limit, PHP and Server Memory Health Check and Fix Plugin WordPress plugin before 2.46 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | |||||
| CVE-2022-3881 | 1 Wptools Project | 1 Wptools | 2024-11-21 | N/A | 5.7 MEDIUM |
| The WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log WordPress plugin before 3.43 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | |||||
| CVE-2022-3880 | 1 Antihacker Project | 1 Antihacker | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin before 4.20 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | |||||
| CVE-2022-3879 | 1 Car Dealer Project | 1 Car Dealer | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Car Dealer (Dealership) and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org | |||||
| CVE-2022-3853 | 1 Supra-csv-parser Project | 1 Supra-csv-parser | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. | |||||
| CVE-2022-3750 | 1 Inkthemes | 1 Ask Me | 2024-11-21 | N/A | 4.7 MEDIUM |
| The has a CSRF vulnerability that allows the deletion of a post without using a nonce or prompting for confirmation. | |||||
| CVE-2022-3747 | 1 Muffingroup | 1 Becustom | 2024-11-21 | N/A | 8.8 HIGH |
| The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2. This is due to missing nonce validation when saving the plugin's settings. This makes it possible for unauthenticated attackers to update the plugin's settings like betheme_url_slug, replaced_theme_author, and betheme_label to name a few, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-3632 | 1 Digitialpixies | 1 Oauth Client | 2024-11-21 | N/A | 6.5 MEDIUM |
| The OAuth Client by DigitialPixies WordPress plugin through 1.1.0 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions. | |||||
| CVE-2022-3585 | 1 Oretnom23 | 1 Simple Cold Storage Management System | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in SourceCodester Simple Cold Storage Management System 1.0. Affected is an unknown function of the file /csms/?page=contact_us of the component Contact Us. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-211194 is the identifier assigned to this vulnerability. | |||||
| CVE-2022-3582 | 1 Oretnom23 | 1 Simple Cold Storage Management System | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability has been found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument change password leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-211189 was assigned to this vulnerability. | |||||
| CVE-2022-3568 | 1 Orangelab | 1 Imagemagick Engine | 2024-11-21 | N/A | 8.8 HIGH |
| The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||