Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-01-16 | CVE-2022-1617 | Cross-Site Request Forgery (CSRF) vulnerability in Usabilitydynamics Wp-Invoice The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them | 6.1 |
| 2024-01-16 | CVE-2022-1618 | Cross-Site Request Forgery (CSRF) vulnerability in Marcorulicke Coru Lfmember 1.0.2 The Coru LFMember WordPress plugin through 1.0.2 does not have CSRF check in place when adding a new game, and is lacking sanitisation as well as escaping in their settings, allowing attacker to make a logged in admin add an arbitrary game with XSS payloads | 6.1 |
| 2024-01-16 | CVE-2022-1760 | Cross-Site Request Forgery (CSRF) vulnerability in Dd32 Core Control The Core Control WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
| 2024-01-16 | CVE-2022-23179 | Cross-site Scripting vulnerability in Themehunk Contact Form & Lead Form Elementor Builder The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | 4.8 |
| 2024-01-16 | CVE-2022-23180 | Missing Authorization vulnerability in Themehunk Contact Form & Lead Form Elementor Builder The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings | 4.3 |
| 2024-01-16 | CVE-2022-2413 | Cross-site Scripting vulnerability in Simonpedge Slide Anything The Slide Anything WordPress plugin before 2.3.47 does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfiltered_html capability is disabled. | 5.4 |
| 2024-01-16 | CVE-2022-3194 | Cross-site Scripting vulnerability in Wedevs Dokan The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators. | 5.4 |
| 2024-01-16 | CVE-2022-3604 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Crmperks Database for Contact Form 7, Wpforms, Elementor Forms The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection. | 7.8 |
| 2024-01-16 | CVE-2022-3739 | Cross-site Scripting vulnerability in Subina WP Best Quiz 1.0 The WP Best Quiz WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks. | 5.4 |
| 2024-01-16 | CVE-2022-3764 | SQL Injection vulnerability in Wpvibes Form Vibes The plugin does not filter the "delete_entries" parameter from user requests, leading to an SQL Injection vulnerability. | 7.2 |