Security Vulnerabilities - CVEs Published In September 2022
The Slickr Flickr WordPress plugin through 2.8.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-09-19
The Gettext override translations WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVSS Score
4.8
EPSS Score
0.002
Published
2022-09-19
The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.
CVSS Score
8.8
EPSS Score
0.008
Published
2022-09-19
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
CVSS Score
8.8
EPSS Score
0.201
Published
2022-09-19
The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature.
CVSS Score
4.3
EPSS Score
0.095
Published
2022-09-19
The WordPress Ping Optimizer WordPress plugin before 2.35.1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVSS Score
4.3
EPSS Score
0.001
Published
2022-09-19
The Form Builder CP WordPress plugin before 1.2.32 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVSS Score
4.8
EPSS Score
0.001
Published
2022-09-19
The Float to Top Button WordPress plugin through 2.3.6 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVSS Score
4.8
EPSS Score
0.001
Published
2022-09-19
The Scroll To Top WordPress plugin before 1.4.1 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVSS Score
4.8
EPSS Score
0.001
Published
2022-09-19
The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not sanitise and escape some of the reservation user inputs, allowing unauthenticated attackers to perform Cross-Site Scripting attacks logged in admin viewing the malicious reservation made
CVSS Score
6.1
EPSS Score
0.219
Published
2022-09-19