Security Vulnerabilities - CVEs Published In July 2022
This affects the package properties-reader before 2.2.0.
CVSS Score
7.3
EPSS Score
0.007
Published
2022-07-25
This affects the package snyk-broker before 4.73.0. It allows arbitrary file reads for users with access to Snyk's internal network via directory traversal.
CVSS Score
4.9
EPSS Score
0.006
Published
2022-07-25
All versions of package git-archive are vulnerable to Command Injection via the exports function.
CVSS Score
6.4
EPSS Score
0.003
Published
2022-07-25
The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.
CVSS Score
5.3
EPSS Score
0.582
Published
2022-07-25
The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting.
CVSS Score
6.1
EPSS Score
0.083
Published
2022-07-25
The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.
CVSS Score
8.8
EPSS Score
0.009
Published
2022-07-25
The SP Project & Document Manager WordPress plugin before 4.58 uses an easily guessable path to store user files, bad actors could use that to access other users' sensitive files.
CVSS Score
6.5
EPSS Score
0.004
Published
2022-07-25
The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-07-25
The Name Directory WordPress plugin before 1.25.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well
CVSS Score
6.1
EPSS Score
0.002
Published
2022-07-25
The Popup Anything WordPress plugin before 2.1.7 does not sanitise and escape a parameter before outputting it back in a frontend page, leading to a Reflected Cross-Site Scripting
CVSS Score
6.1
EPSS Score
0.002
Published
2022-07-25