Live-Hack-CVE/CVE-2022-4163 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to an SQL query in 2_deactivate.php and 4_activate.php, respectively. This may allow malicious users with at least author pri CVE project by @Sn0wAlice Create: 2022-12-27 16:37:30 +0000 UTC Push: 2022-12-27 16:37:32 +0000 UTC |

Live-Hack-CVE/CVE-2022-4162 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in 3_row-order.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's datab CVE project by @Sn0wAlice Create: 2022-12-27 16:37:26 +0000 UTC Push: 2022-12-27 16:37:29 +0000 UTC |

Live-Hack-CVE/CVE-2022-4161 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from t CVE project by @Sn0wAlice Create: 2022-12-27 16:37:23 +0000 UTC Push: 2022-12-27 16:37:25 +0000 UTC |

Live-Hack-CVE/CVE-2022-4160 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. This may allow malicious users with at least author privilege to leak sensitive i CVE project by @Sn0wAlice Create: 2022-12-27 16:37:19 +0000 UTC Push: 2022-12-27 16:37:21 +0000 UTC |

Live-Hack-CVE/CVE-2022-4159 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's d CVE project by @Sn0wAlice Create: 2022-12-27 16:37:16 +0000 UTC Push: 2022-12-27 16:37:18 +0000 UTC |

Live-Hack-CVE/CVE-2022-4158 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's CVE project by @Sn0wAlice Create: 2022-12-27 16:37:12 +0000 UTC Push: 2022-12-27 16:37:14 +0000 UTC |

Live-Hack-CVE/CVE-2022-4157 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configuratio CVE project by @Sn0wAlice Create: 2022-12-27 16:37:09 +0000 UTC Push: 2022-12-27 16:37:11 +0000 UTC |

Live-Hack-CVE/CVE-2022-4156 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the CVE project by @Sn0wAlice Create: 2022-12-27 16:37:05 +0000 UTC Push: 2022-12-27 16:37:07 +0000 UTC |

Live-Hack-CVE/CVE-2022-4155 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurati CVE project by @Sn0wAlice Create: 2022-12-27 16:37:01 +0000 UTC Push: 2022-12-27 16:37:04 +0000 UTC |

Live-Hack-CVE/CVE-2022-4154 The Contest Gallery Pro WordPress plugin before 19.1.5 does not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with at administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the sit CVE project by @Sn0wAlice Create: 2022-12-27 16:36:58 +0000 UTC Push: 2022-12-27 16:37:00 +0000 UTC |

Live-Hack-CVE/CVE-2022-4153 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from CVE project by @Sn0wAlice Create: 2022-12-27 16:36:54 +0000 UTC Push: 2022-12-27 16:36:57 +0000 UTC |

Live-Hack-CVE/CVE-2022-4152 The Contest Gallery WordPress plugin before 19.1.5, Contest Gallery Pro WordPress plugin before 19.1.5 do not escape the option_id POST parameter before concatenating it to an SQL query in edit-options.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's datab CVE project by @Sn0wAlice Create: 2022-12-27 16:36:51 +0000 UTC Push: 2022-12-27 16:36:53 +0000 UTC |

Live-Hack-CVE/CVE-2022-4151 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the sit CVE project by @Sn0wAlice Create: 2022-12-27 16:36:20 +0000 UTC Push: 2022-12-27 16:36:22 +0000 UTC |

Live-Hack-CVE/CVE-2022-4150 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitiv CVE project by @Sn0wAlice Create: 2022-12-27 16:36:17 +0000 UTC Push: 2022-12-27 16:36:19 +0000 UTC |

Live-Hack-CVE/CVE-2022-4120 The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2022.6 passes base64 encoded user input to the unserialize() PHP function when CAPTCHA are used as second challenge, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain CVE project by @Sn0wAlice Create: 2022-12-27 16:36:14 +0000 UTC Push: 2022-12-27 16:36:16 +0000 UTC |

Live-Hack-CVE/CVE-2022-4117 The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection. CVE project by @Sn0wAlice Create: 2022-12-27 16:36:10 +0000 UTC Push: 2022-12-27 16:36:12 +0000 UTC |

Live-Hack-CVE/CVE-2022-4110 The Eventify™ WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE project by @Sn0wAlice Create: 2022-12-27 16:36:06 +0000 UTC Push: 2022-12-27 16:36:08 +0000 UTC |

Live-Hack-CVE/CVE-2022-4047 The Return Refund and Exchange For WooCommerce WordPress plugin before 4.0.9 does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE CVE project by @Sn0wAlice Create: 2022-12-27 16:36:03 +0000 UTC Push: 2022-12-27 16:36:05 +0000 UTC |

Live-Hack-CVE/CVE-2022-4042 The Paytium: Mollie payment forms & donations WordPress plugin through 4.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE project by @Sn0wAlice Create: 2022-12-27 16:35:59 +0000 UTC Push: 2022-12-27 16:36:01 +0000 UTC |

Live-Hack-CVE/CVE-2022-3840 The Login for Google Apps WordPress plugin before 3.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE project by @Sn0wAlice Create: 2022-12-27 16:35:56 +0000 UTC Push: 2022-12-27 16:35:58 +0000 UTC |