Security Vulnerabilities - CVEs Published In February 2022
The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin
CVSS Score
6.1
EPSS Score
0.121
Published
2022-02-14
The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link.
CVSS Score
2.7
EPSS Score
0.002
Published
2022-02-14
The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user's email address.
CVSS Score
4.3
EPSS Score
0.002
Published
2022-02-14
The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel.
CVSS Score
6.4
EPSS Score
0.001
Published
2022-02-14
In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference.
CVSS Score
5.5
EPSS Score
0.001
Published
2022-02-14
In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs because of recursive PROMPT_SUBST expansion.
CVSS Score
7.8
EPSS Score
0.001
Published
2022-02-14
The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation
CVSS Score
5.4
EPSS Score
0.001
Published
2022-02-14
The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
CVSS Score
6.1
EPSS Score
0.003
Published
2022-02-14
The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVSS Score
4.8
EPSS Score
0.03
Published
2022-02-14
The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue.
CVSS Score
3.5
EPSS Score
0.001
Published
2022-02-14