Security Vulnerabilities - CVEs Published In April 2022
The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-04-25
The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog
CVSS Score
4.3
EPSS Score
0.001
Published
2022-04-25
The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVSS Score
4.8
EPSS Score
0.002
Published
2022-04-25
The Menubar WordPress plugin before 5.8 does not sanitise and escape the command parameter before outputting it back in the response via the menubar AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-25
The LayerSlider WordPress plugin before 7.1.2 does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
CVSS Score
4.8
EPSS Score
0.002
Published
2022-04-25
The Books & Papers WordPress plugin through 0.20210223 does not escape its Custom DB prefix settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVSS Score
4.8
EPSS Score
0.002
Published
2022-04-25
The Opensea WordPress plugin before 1.0.3 does not sanitize and escape some of its settings, like its "Referer address" field, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVSS Score
4.8
EPSS Score
0.002
Published
2022-04-25
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique
CVSS Score
9.8
EPSS Score
0.906
Published
2022-04-25
The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.
CVSS Score
9.8
EPSS Score
0.667
Published
2022-04-25
The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it in an include statement, which could lead to Local File Inclusion issues
CVSS Score
7.5
EPSS Score
0.652
Published
2022-04-25