Security Vulnerabilities - CVEs Published In January 2022
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
CVSS Score
6.5
EPSS Score
0.001
Published
2022-01-24
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue
CVSS Score
6.1
EPSS Score
0.002
Published
2022-01-24
The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
CVSS Score
6.1
EPSS Score
0.003
Published
2022-01-24
The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue
CVSS Score
6.1
EPSS Score
0.044
Published
2022-01-24
The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
CVSS Score
6.1
EPSS Score
0.002
Published
2022-01-24
The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
CVSS Score
6.1
EPSS Score
0.002
Published
2022-01-24
The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue
CVSS Score
7.2
EPSS Score
0.012
Published
2022-01-24
The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVSS Score
4.8
EPSS Score
0.003
Published
2022-01-24
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
CVSS Score
6.1
EPSS Score
0.002
Published
2022-01-24
The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack
CVSS Score
8.8
EPSS Score
0.001
Published
2022-01-24