Total
38395 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2567 | 1 Codepeople | 1 Form Builder Cp | 2024-11-21 | N/A | 4.8 MEDIUM |
| The Form Builder CP WordPress plugin before 1.2.32 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-2565 | 1 Paymattic | 1 Simple Payment Donations \& Subscriptions | 2024-11-21 | N/A | 7.2 HIGH |
| The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins | |||||
| CVE-2022-2538 | 1 Nsp-code | 1 Wp Hide \& Security Enhancer | 2024-11-21 | N/A | 6.1 MEDIUM |
| The WP Hide & Security Enhancer WordPress plugin before 1.8 does not escape a parameter before outputting it back in an attribute of a backend page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-2537 | 1 Wpovernight | 1 Woocommerce Pdf Invoices\& Packing Slips | 2024-11-21 | N/A | 6.1 MEDIUM |
| The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 3.0.1 does not sanitise and escape some parameters before outputting them back in an attributes of an admin page, leading to Reflected Cross-Site Scripting. | |||||
| CVE-2022-2532 | 1 Slickremix | 1 Feed Them Social | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Feed Them Social WordPress plugin before 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2022-2523 | 1 Fava Project | 1 Fava | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/fava prior to 1.22.2. | |||||
| CVE-2022-2517 | 1 Fastlinemedia | 1 Beaver Builder | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Beaver Builder – WordPress Page Builder for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Caption - On Hover' value associated with images in versions up to, and including, 2.5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the Beaver Builder editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-2516 | 1 Visualcomposer | 1 Visual Composer Website Builder | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post/page 'Title' value in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-2514 | 1 Fava Project | 1 Fava | 2024-11-21 | N/A | 6.1 MEDIUM |
| The time and filter parameters in Fava prior to v1.22 are vulnerable to reflected XSS due to the lack of escaping of error messages which contained the parameters in verbatim. | |||||
| CVE-2022-2511 | 1 Hallowelt | 1 Bluespice | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL. | |||||
| CVE-2022-2510 | 1 Hallowelt | 1 Bluespice | 2024-11-21 | N/A | 4.3 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in "Extension:ExtendedSearch" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page "Special:SearchCenter", using the search term in the URL. | |||||
| CVE-2022-2500 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 4.4 MEDIUM |
| A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, 15.1 prior to 15.1.4, and 15.2 prior to 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side. | |||||
| CVE-2022-2495 | 1 Microweber | 1 Microweber | 2024-11-21 | N/A | 4.8 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21. | |||||
| CVE-2022-2494 | 1 Open-emr | 1 Openemr | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0. | |||||
| CVE-2022-2470 | 1 Microweber | 1 Microweber | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21. | |||||
| CVE-2022-2448 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2024-11-21 | N/A | 4.8 MEDIUM |
| The reSmush.it WordPress plugin before 0.4.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2022-2430 | 1 Visualcomposer | 1 Visual Composer Website Builder | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Visual Composer Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Text Block' feature in versions up to, and including, 45.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with access to the visual composer editor to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-2426 | 1 Thinkific | 1 Thinkific Uploader | 2024-11-21 | N/A | 4.8 MEDIUM |
| The Thinkific Uploader WordPress plugin through 1.0.0 does not sanitise and escape its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks against other administrators. | |||||
| CVE-2022-2425 | 1 Wp Ds Blog Map Project | 1 Wp Ds Blog Map | 2024-11-21 | N/A | 4.8 MEDIUM |
| The WP DS Blog Map WordPress plugin through 3.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-2424 | 1 Google Maps Anywhere Project | 1 Google Maps Anywhere | 2024-11-21 | N/A | 4.8 MEDIUM |
| The Google Maps Anywhere WordPress plugin through 1.2.6.3 does not sanitise and escape any of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||