Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In June 2022
CVE-2022-1994
The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
CVSS Score
4.8
EPSS Score
0.003
Published
2022-06-27
CVE-2022-1995
The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup)
CVSS Score
4.8
EPSS Score
0.003
Published
2022-06-27
CVE-2022-2040
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
CVSS Score
5.4
EPSS Score
0.002
Published
2022-06-27
CVE-2022-2041
The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
CVSS Score
5.4
EPSS Score
0.002
Published
2022-06-27
CVE-2022-1327
The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVSS Score
4.8
EPSS Score
0.003
Published
2022-06-27
CVE-2022-1470
The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting
CVSS Score
6.1
EPSS Score
0.002
Published
2022-06-27
CVE-2022-1572
The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file
CVSS Score
8.1
EPSS Score
0.002
Published
2022-06-27
CVE-2022-1573
The HTML2WP WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them
CVSS Score
4.3
EPSS Score
0.001
Published
2022-06-27
CVE-2022-1574
The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server
CVSS Score
9.8
EPSS Score
0.756
Published
2022-06-27
CVE-2022-1593
The Site Offline or Coming Soon WordPress plugin through 1.6.6 does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. As a result, attackers could make a logged in admin change them and put Cross-Site Scripting payloads in them via a CSRF attack
CVSS Score
6.1
EPSS Score
0.003
Published
2022-06-27


Products
Pricing
Contact Us

Shodan ® - All rights reserved