Total
6080 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3568 | 1 Orangelab | 1 Imagemagick Engine | 2024-11-21 | N/A | 8.8 HIGH |
| The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload. | |||||
| CVE-2022-3538 | 1 Webmaster Tools Verification Project | 1 Webmaster Tools Verification | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins | |||||
| CVE-2022-3537 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2024-11-21 | N/A | 8.8 HIGH |
| The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP | |||||
| CVE-2022-3536 | 1 Addify | 1 Role Based Pricing For Woocommerce | 2024-11-21 | N/A | 8.8 HIGH |
| The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog | |||||
| CVE-2022-3489 | 1 Weberge | 1 Wp Hide | 2024-11-21 | N/A | 5.3 MEDIUM |
| The WP Hide WordPress plugin through 0.0.2 does not have authorisation and CSRF checks in place when updating the custom_wpadmin_slug settings, allowing unauthenticated attackers to update it with a crafted request | |||||
| CVE-2022-3451 | 1 Addify | 1 Product Stock Manager | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options | |||||
| CVE-2022-3419 | 1 Addify | 1 Automatic User Roles Switcher | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administrator | |||||
| CVE-2022-3372 | 1 Riello-ups | 2 Netman 204, Netman 204 Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| There is a CSRF vulnerability on Netman-204 version 02.05. An attacker could manage to change administrator passwords through a Cross Site Request Forgery due to the lack of proper validation on the CRSF token. This vulnerability could allow a remote attacker to access the administrator panel, being able to modify different parameters that are critical for industrial operations. | |||||
| CVE-2022-3274 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 3.5 LOW |
| Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.7. | |||||
| CVE-2022-3267 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6. | |||||
| CVE-2022-3240 | 1 Follow Me Plugin Project | 1 Follow Me Plugin | 2024-11-21 | N/A | 8.8 HIGH |
| The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMedia_options_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2022-3233 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.6. | |||||
| CVE-2022-3232 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.5. | |||||
| CVE-2022-3221 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.3. | |||||
| CVE-2022-3208 | 1 Simplefilelist | 1 Simple-file-list | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack. | |||||
| CVE-2022-3154 | 3 Integration For Billingo \& Gravity Forms Project, Integration For Szamlazz.hu \& Gravity Forms Project, Woo Billingo Plus Project | 3 Integration For Billingo \& Gravity Forms, Integration For Szamlazz.hu \& Gravity Forms, Woo Billingo Plus | 2024-11-21 | N/A | 7.1 HIGH |
| The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license | |||||
| CVE-2022-3151 | 1 Wp Custom Cursors Project | 1 Wp Custom Cursors | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack. | |||||
| CVE-2022-3149 | 1 Wp Custom Cursors Project | 1 Wp Custom Cursors | 2024-11-21 | N/A | 6.1 MEDIUM |
| The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting | |||||
| CVE-2022-3126 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Frontend File Manager Plugin WordPress plugin before 21.4 does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf | |||||
| CVE-2022-3121 | 1 Online Employee Leave Management System Project | 1 Online Employee Leave Management System | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability was found in SourceCodester Online Employee Leave Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/addemployee.php. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The identifier VDB-207853 was assigned to this vulnerability. | |||||