Live-Hack-CVE/CVE-2022-3417 The WPtouch WordPress plugin before 4.3.45 unserialises the content of an imported settings file, which could lead to PHP object injections issues when an user import (intentionally or not) a malicious settings file and a suitable gadget chain is present on the blog. CVE project by @Sn0wAlice Create: 2023-01-10 10:09:26 +0000 UTC Push: 2023-01-10 10:09:29 +0000 UTC |

Live-Hack-CVE/CVE-2022-3343 The WPQA Builder WordPress plugin before 5.9.3 (which is a companion plugin used with Discy and Himer WordPress themes) incorrectly tries to validate that a user already follows another in the wpqa_following_you_ajax action, allowing a user to inflate their score on the site by having another user send repeated follow CVE project by @Sn0wAlice Create: 2023-01-10 10:09:21 +0000 UTC Push: 2023-01-10 10:09:25 +0000 UTC |

Live-Hack-CVE/CVE-2022-3923 The ActiveCampaign for WooCommerce WordPress plugin through 1.9.6 does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. CVE project by @Sn0wAlice Create: 2023-01-10 10:09:17 +0000 UTC Push: 2023-01-10 10:09:20 +0000 UTC |

Live-Hack-CVE/CVE-2022-3416 The WPtouch WordPress plugin before 4.3.45 does not properly validate images to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) CVE project by @Sn0wAlice Create: 2023-01-10 10:09:13 +0000 UTC Push: 2023-01-10 10:09:16 +0000 UTC |

Live-Hack-CVE/CVE-2022-4497 The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins CVE project by @Sn0wAlice Create: 2023-01-10 10:09:09 +0000 UTC Push: 2023-01-10 10:09:11 +0000 UTC |

Live-Hack-CVE/CVE-2022-4491 The WP-Table Reloaded WordPress plugin through 1.9.4 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such a CVE project by @Sn0wAlice Create: 2023-01-10 10:09:06 +0000 UTC Push: 2023-01-10 10:09:08 +0000 UTC |

Live-Hack-CVE/CVE-2022-4479 The Table of Contents Plus WordPress plugin before 2212 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as CVE project by @Sn0wAlice Create: 2023-01-10 10:09:01 +0000 UTC Push: 2023-01-10 10:09:04 +0000 UTC |

Live-Hack-CVE/CVE-2022-4468 The WP Recipe Maker WordPress plugin before 8.6.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin CVE project by @Sn0wAlice Create: 2023-01-10 10:08:57 +0000 UTC Push: 2023-01-10 10:08:58 +0000 UTC |

Live-Hack-CVE/CVE-2022-4426 The Mautic Integration for WooCommerce WordPress plugin before 1.0.3 does not have proper CSRF check when updating settings, and does not ensure that the options to be updated belong to the plugin, allowing attackers to make a logged in admin change arbitrary blog options via a CSRF attack. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:52 +0000 UTC Push: 2023-01-10 10:08:55 +0000 UTC |

Live-Hack-CVE/CVE-2022-4394 The iPages Flipbook For WordPress plugin through 1.4.6 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:48 +0000 UTC Push: 2023-01-10 10:08:51 +0000 UTC |

Live-Hack-CVE/CVE-2022-4393 The ImageLinks Interactive Image Builder for WordPress plugin through 1.5.3 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:43 +0000 UTC Push: 2023-01-10 10:08:47 +0000 UTC |

Live-Hack-CVE/CVE-2022-4392 The iPanorama 360 WordPress Virtual Tour Builder plugin through 1.6.29 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:38 +0000 UTC Push: 2023-01-10 10:08:42 +0000 UTC |

Live-Hack-CVE/CVE-2022-4374 The Bg Bible References WordPress plugin through 3.8.14 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:34 +0000 UTC Push: 2023-01-10 10:08:37 +0000 UTC |

Live-Hack-CVE/CVE-2022-4368 The WP CSV WordPress plugin through 1.8.0.0 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, and doe snot have CSRF checks in place as well, leading to a Reflected Cross-Site Scripting. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:30 +0000 UTC Push: 2023-01-10 10:08:33 +0000 UTC |

Live-Hack-CVE/CVE-2022-4325 The Post Status Notifier Lite WordPress plugin before 1.10.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which can be used against high privilege users such as admin. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:26 +0000 UTC Push: 2023-01-10 10:08:28 +0000 UTC |

Live-Hack-CVE/CVE-2022-4310 The Slimstat Analytics WordPress plugin before 4.9.3 does not sanitise and escape the URI when logging requests, which could allow unauthenticated attackers to perform Stored Cross-Site Scripting attacks against logged in admin viewing the logs CVE project by @Sn0wAlice Create: 2023-01-10 10:08:21 +0000 UTC Push: 2023-01-10 10:08:25 +0000 UTC |

Live-Hack-CVE/CVE-2022-4043 The WP Custom Admin Interface WordPress plugin before 7.29 unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:17 +0000 UTC Push: 2023-01-10 10:08:20 +0000 UTC |

Live-Hack-CVE/CVE-2022-46603 An issue in Inkdrop v5.4.1 allows attackers to execute arbitrary commands via uploading a crafted markdown file. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:12 +0000 UTC Push: 2023-01-10 10:08:15 +0000 UTC |

Live-Hack-CVE/CVE-2022-3855 The 404 to Start WordPress plugin through 1.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE project by @Sn0wAlice Create: 2023-01-10 10:08:07 +0000 UTC Push: 2023-01-10 10:08:11 +0000 UTC |

Live-Hack-CVE/CVE-2022-3679 The Starter Templates by Kadence WP WordPress plugin before 1.2.17 unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. CVE project by @Sn0wAlice Create: 2023-01-10 10:08:03 +0000 UTC Push: 2023-01-10 10:08:06 +0000 UTC |