Total
4661 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2461 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.8.1. This is due to insufficient permissions checking on the 'tp_translation' AJAX action and default settings which makes it possible for unauthenticated attackers to influence the data shown on the site. | |||||
| CVE-2022-2459 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 2.7 LOW |
| An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled. | |||||
| CVE-2022-2450 | 1 Resmush.it | 1 Resmush.it Image Optimizer | 2024-11-21 | N/A | 4.3 MEDIUM |
| The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them. | |||||
| CVE-2022-2405 | 1 Themehunk | 1 Wp Popup Builder | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup | |||||
| CVE-2022-2389 | 1 Funnelkit | 1 Funnelkit Automations | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations | |||||
| CVE-2022-2382 | 1 Shapedplugin | 1 Product Slider For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. | |||||
| CVE-2022-2379 | 1 Easy Student Results Project | 1 Easy Student Results | 2024-11-21 | N/A | 7.5 HIGH |
| The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student's grades and PII such as email address, physical address, phone number etc | |||||
| CVE-2022-2377 | 1 Wpwax | 1 Directorist | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog | |||||
| CVE-2022-2376 | 1 Wpwax | 1 Directorist | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users | |||||
| CVE-2022-2373 | 1 Nsqua | 1 Simply Schedule Appointments | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address | |||||
| CVE-2022-2370 | 1 Yaycommerce | 1 Yaysmtp | 2024-11-21 | N/A | 6.5 MEDIUM |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them | |||||
| CVE-2022-2369 | 1 Yaycommerce | 1 Yaysmtp | 2024-11-21 | N/A | 4.3 MEDIUM |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin | |||||
| CVE-2022-2350 | 1 Brainvire | 1 Disable User Login | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block (or unblock) users at will. | |||||
| CVE-2022-2276 | 1 Wp Edit Menu Project | 1 Wp Edit Menu | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Edit Menu WordPress plugin before 1.5.0 does not have authorisation and CSRF in an AJAX action, which could allow unauthenticated attackers to delete arbitrary posts/pages from the blog | |||||
| CVE-2022-2108 | 1 Wbcomdesigns | 1 Buddypress Group Reviews | 2024-11-21 | N/A | 6.5 MEDIUM |
| The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site. | |||||
| CVE-2022-29906 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user. | |||||
| CVE-2022-29611 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2022-29176 | 1 Rubygems | 1 Rubygems.org | 2024-11-21 | 6.0 MEDIUM | 9.9 CRITICAL |
| Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes in its name creation within 30 days OR no updates for over 100 days At present, we believe this vulnerability has not been exploited. RubyGems.org sends an email to all gem owners when a gem version is published or yanked. We have not received any support emails from gem owners indicating that their gem has been yanked without authorization. An audit of gem changes for the last 18 months did not find any examples of this vulnerability being used in a malicious way. A deeper audit for any possible use of this exploit is ongoing, and we will update this advisory once it is complete. Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit. To audit your application history for possible past exploits, review your Gemfile.lock and look for gems whose platform changed when the version number did not change. For example, gemname-3.1.2 updating to gemname-3.1.2-java could indicate a possible abuse of this vulnerability. RubyGems.org has been patched and is no longer vulnerable to this issue as of the 5th of May 2022. | |||||
| CVE-2022-29051 | 1 Jenkins | 1 Publish Over Ftp | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. | |||||
| CVE-2022-28993 | 1 Bdtask | 1 Multi Store Inventory Management System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request. | |||||