The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-1627 | The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | MEDIUM | Jun 27, 2022 | n/a |
| CVE-2022-1626 | The Sharebar WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and also lead to Stored Cross-Site Scripting issue due to the lack of sanitisation and escaping in some of them | LOW | Jul 15, 2022 | n/a |
| CVE-2022-1625 | The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites. | MEDIUM | Jun 27, 2022 | n/a |
| CVE-2022-1624 | The Latest Tweets Widget WordPress plugin through 1.1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | MEDIUM | Jun 17, 2022 | n/a |
| CVE-2022-1623 | LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa. | MEDIUM | May 11, 2022 | n/a |
| CVE-2022-1622 | LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa. | MEDIUM | May 11, 2022 | n/a |
| CVE-2022-1621 | Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution | MEDIUM | May 10, 2022 | n/a |
| CVE-2022-1620 | NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input. | MEDIUM | May 8, 2022 | n/a |
| CVE-2022-1619 | Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution | MEDIUM | May 8, 2022 | n/a |
| CVE-2022-1618 | The Coru LFMember WordPress plugin through 1.0.2 does not have CSRF check in place when adding a new game, and is lacking sanitisation as well as escaping in their settings, allowing attacker to make a logged in admin add an arbitrary game with XSS payloads | -- | Jan 16, 2024 | n/a |
| CVE-2022-1617 | The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them | -- | Jan 16, 2024 | n/a |
| CVE-2022-1616 | Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution | MEDIUM | May 8, 2022 | n/a |
| CVE-2022-1615 | In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. | -- | Aug 1, 2022 | n/a |
| CVE-2022-1614 | The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor\'s IP from certain HTTP headers over PHP\'s REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions. | MEDIUM | Jun 21, 2022 | n/a |
| CVE-2022-1613 | The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor\'s IP from certain HTTP headers over PHP\'s REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations. | -- | Sep 28, 2022 | n/a |
| CVE-2022-1612 | The Webriti SMTP Mail WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | MEDIUM | Jun 17, 2022 | n/a |
| CVE-2022-1611 | The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF. | MEDIUM | May 31, 2022 | n/a |
| CVE-2022-1610 | The Seamless Donations WordPress plugin before 5.1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | MEDIUM | Jun 21, 2022 | n/a |
| CVE-2022-1609 | The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it\'s license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site. | -- | Jan 16, 2024 | n/a |
| CVE-2022-1608 | The OnePress Social Locker WordPress plugin through 5.6.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | MEDIUM | Jun 17, 2022 | n/a |
| CVE-2022-1607 | Cross-Site Request Forgery (CSRF) vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant allows Cross Site Request Forgery.This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415. | -- | Feb 24, 2023 | n/a |
| CVE-2022-1606 | Incorrect privilege assignment in M-Files Server versions before 22.3.11164.0 and before 22.3.11237.1 allows user to read unmanaged objects. | -- | Dec 2, 2022 | n/a |
| CVE-2022-1605 | The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users | MEDIUM | Jun 17, 2022 | n/a |
| CVE-2022-1604 | The MailerLite WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | MEDIUM | Jun 17, 2022 | n/a |
| CVE-2022-1603 | The Mail Subscribe List WordPress plugin before 2.1.4 does not have CSRF check in place when deleting subscribed users, which could allow attackers to make a logged in admin perform such action and delete arbitrary users from the subscribed list | MEDIUM | Jun 21, 2022 | n/a |
| CVE-2022-1602 | A potential security vulnerability has been identified in HP ThinPro 7.2 Service Pack 8 (SP8). The security vulnerability in SP8 is not remedied after upgrading from SP8 to Service Pack 9 (SP9). HP has released Service Pack 10 (SP10) to remediate the potential vulnerability introduced in SP8. | -- | Sep 15, 2022 | n/a |
| CVE-2022-1601 | The User Access Manager WordPress plugin before 2.2.18 prioritizes getting a visitor\'s IP from certain HTTP headers over PHP\'s REMOTE_ADDR, which makes it possible for attackers to access restricted content in certain situations. | -- | Aug 31, 2023 | n/a |
| CVE-2022-1600 | The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor\'s IP from certain HTTP headers over PHP\'s REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations. | -- | Aug 4, 2022 | n/a |
| CVE-2022-1599 | The Admin Management Xtended WordPress plugin before 2.4.5 does not have CSRF checks in some of its AJAX actions, allowing attackers to make a logged users with the right capabilities to call them. This can lead to changes in post status (draft, published), slug, post date, comment status (enabled, disabled) and more. | MEDIUM | Jul 15, 2022 | n/a |
| CVE-2022-1598 | The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site. | MEDIUM | Jun 8, 2022 | n/a |
| CVE-2022-1597 | The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks | MEDIUM | Jun 8, 2022 | n/a |
| CVE-2022-1596 | Incorrect Permission Assignment for Critical Resource vulnerability in ABB REX640 PCL1, REX640 PCL2, REX640 PCL3 allows an authenticated attacker to launch an attack against the user database file and try to take control of an affected system node. | MEDIUM | Jun 21, 2022 | n/a |
| CVE-2022-1595 | The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a specific crafted request | MEDIUM | Jun 18, 2022 | n/a |
| CVE-2022-1594 | The HC Custom WP-Admin URL WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL | MEDIUM | Jun 13, 2022 | n/a |
| CVE-2022-1593 | The Site Offline or Coming Soon WordPress plugin through 1.6.6 does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. As a result, attackers could make a logged in admin change them and put Cross-Site Scripting payloads in them via a CSRF attack | MEDIUM | Jun 27, 2022 | n/a |
| CVE-2022-1592 | Server-Side Request Forgery in scout in GitHub repository clinical-genomics/scout prior to v4.42. An attacker could make the application perform arbitrary requests to fishing steal cookie, request to private area, or lead to xss... | MEDIUM | May 5, 2022 | n/a |
| CVE-2022-1591 | The WordPress Ping Optimizer WordPress plugin before 2.35.1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | -- | Sep 21, 2022 | n/a |
| CVE-2022-1590 | A vulnerability was found in Bludit 3.13.1. It has been declared as problematic. This vulnerability affects the endpoint /admin/new-content of the New Content module. The manipulation of the argument content with the input <script>alert(1)</script> leads to cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit has been disclosed to the public and may be used. | LOW | May 5, 2022 | n/a |
| CVE-2022-1589 | The Change wp-admin login WordPress plugin before 1.1.0 does not properly check for authorisation and is also missing CSRF check when updating its settings, which could allow unauthenticated users to change the settings. The attacked could also be performed via a CSRF vector | MEDIUM | May 31, 2022 | n/a |
| CVE-2022-1588 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. Reason: This CVE has been rejected as it was incorrectly assigned. All references and descriptions in this candidate have been removed to prevent accidental usage | MEDIUM | May 5, 2022 | n/a |
| CVE-2022-1587 | An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. | MEDIUM | May 7, 2022 | n/a |
| CVE-2022-1586 | An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. | MEDIUM | May 7, 2022 | n/a |
| CVE-2022-1585 | The Project Source Code Download WordPress plugin through 1.0.0 does not protect its backup generation and download functionalities, which may allow any visitors on the site to download the entire site, including sensitive files like wp-config.php. | -- | Aug 4, 2022 | n/a |
| CVE-2022-1584 | Reflected XSS in GitHub repository microweber/microweber prior to 1.2.16. Executing JavaScript as the victim | MEDIUM | May 4, 2022 | n/a |
| CVE-2022-1583 | The External Links in New Window / New Tab WordPress plugin before 1.43 does not ensure window.opener is set to null when links to external sites are clicked, which may enable tabnabbing attacks to occur. | MEDIUM | May 31, 2022 | n/a |
| CVE-2022-1582 | The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. | MEDIUM | May 31, 2022 | n/a |
| CVE-2022-1581 | The WP-Polls WordPress plugin before 2.76.0 prioritizes getting a visitor\'s IP from certain HTTP headers over PHP\'s REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations. | -- | Nov 23, 2022 | n/a |
| CVE-2022-1580 | The Site Offline Or Coming Soon Or Maintenance Mode WordPress plugin before 1.5.3 prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL\'s query string would bypass the plugin\'s main feature. | -- | Sep 21, 2022 | n/a |
| CVE-2022-1579 | The function check_is_login_page() uses headers for the IP check, which can be easily spoofed. | -- | Nov 23, 2022 | n/a |
| CVE-2022-1578 | The My wpdb WordPress plugin before 2.5 is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack | -- | Nov 23, 2022 | n/a |
