Security Vulnerabilities - CVEs Published In May 2022
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.
CVSS Score
5.4
EPSS Score
0.103
Published
2022-05-16
The th23 Social WordPress plugin through 1.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVSS Score
4.8
EPSS Score
0.002
Published
2022-05-16
The Bulk Edit and Create User Profiles WordPress plugin before 1.5.14 does not sanitise and escape the Users Login, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVSS Score
4.8
EPSS Score
0.002
Published
2022-05-16
The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE
CVSS Score
8.8
EPSS Score
0.166
Published
2022-05-16
The Visual Slide Box Builder WordPress plugin through 3.2.9 does not sanitise and escape various parameters before using them in SQL statements via some of its AJAX actions available to any authenticated users (such as subscriber), leading to SQL Injections
CVSS Score
8.8
EPSS Score
0.007
Published
2022-05-16
An arbitrary file upload vulnerability in formidable v3.1.4 allows attackers to execute arbitrary code via a crafted filename. NOTE: some third parties dispute this issue because the product has common use cases in which uploading arbitrary files is the desired behavior. Also, there are configuration options in all versions that can change the default behavior of how files are handled. Strapi does not consider this to be a valid vulnerability.
CVSS Score
9.8
EPSS Score
0.245
Published
2022-05-16
An arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. NOTE: the Supplier has not verified this vulnerability report.
CVSS Score
7.8
EPSS Score
0.004
Published
2022-05-16
A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-05-16
atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter.
CVSS Score
6.1
EPSS Score
0.455
Published
2022-05-16
Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter.
CVSS Score
6.1
EPSS Score
0.041
Published
2022-05-16