Security Vulnerabilities - CVEs Published In June 2022
The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack
CVSS Score
9.8
EPSS Score
0.734
Published
2022-06-08
The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form.
CVSS Score
4.3
EPSS Score
0.001
Published
2022-06-08
The Throws SPAM Away WordPress plugin before 3.3.1 does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack
CVSS Score
4.3
EPSS Score
0.001
Published
2022-06-08
The LiveSync for WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVSS Score
4.3
EPSS Score
0.001
Published
2022-06-08
The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads
CVSS Score
6.5
EPSS Score
0.137
Published
2022-06-08
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users
CVSS Score
9.8
EPSS Score
0.481
Published
2022-06-08
The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters
CVSS Score
6.1
EPSS Score
0.003
Published
2022-06-08
The Ask me WordPress theme before 6.8.2 does not properly sanitise and escape several of the fields in the Edit Profile page, leading to Reflected Cross-Site Scripting issues
CVSS Score
6.1
EPSS Score
0.002
Published
2022-06-08
The Photo Gallery by 10Web WordPress plugin before 1.6.4 does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed
CVSS Score
4.8
EPSS Score
0.002
Published
2022-06-08
The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack
CVSS Score
4.3
EPSS Score
0.076
Published
2022-06-08