Security Vulnerabilities - CVEs Published In May 2022
The Call Now Button WordPress plugin before 1.1.2 does not escape a parameter before outputting it back in an attribute of a hidden input, leading to a Reflected Cross-Site Scripting when the premium is enabled
CVSS Score
6.1
EPSS Score
0.002
Published
2022-05-16
The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.9 does not sanitise and escape a parameter before outputting it back in an attribute via an AJAX action, leading to a Reflected Cross-Site Scripting issue.
CVSS Score
6.1
EPSS Score
0.002
Published
2022-05-16
The ScrollReveal.js Effects WordPress plugin through 1.2 does not sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVSS Score
4.8
EPSS Score
0.003
Published
2022-05-16
Leaking password protected articles content due to improper access control in GitHub repository publify/publify prior to 9.2.8. Attackers can leverage this vulnerability to view the contents of any password-protected article present on the publify website, compromising confidentiality and integrity of users.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-05-16
The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE
CVSS Score
7.2
EPSS Score
0.009
Published
2022-05-16
JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged authenticated user due to insufficient validation of a user-provided serialized object.
CVSS Score
8.8
EPSS Score
0.059
Published
2022-05-16
Improper Access Control in GitHub repository publify/publify prior to 9.2.8.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-05-16
Code Injection in GitHub repository publify/publify prior to 9.2.8.
CVSS Score
5.3
EPSS Score
0.002
Published
2022-05-16
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users
CVSS Score
9.8
EPSS Score
0.853
Published
2022-05-16
The Gmedia Photo Gallery WordPress plugin before 1.20.0 does not sanitise and escape the Album's name before outputting it in pages/posts with a media embed, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed
CVSS Score
4.8
EPSS Score
0.008
Published
2022-05-16