Common Vulnerabilities
In the Lana Codes Common Vulnerability Database (LANACOMMONVDB), we collect the vulnerabilities we discover in other systems and provide standard descriptions.
CVE ID:
CVE-2022-3882
WordPress Plugin
wp-memory <= 2.45
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization
Date:
2022-11-07
The plugin does not have proper authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org repository.
CVE ID:
CVE-2022-3883
WordPress Plugin
stopbadbots <= 7.23
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization
Date:
2022-11-07
The plugin does not have proper authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org repository.
CVE ID:
CVE-2022-3946
WordPress Plugin
usc-e-shop <= 2.8.3
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-11-07
The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.
CVE ID:
CVE-2022-3935
WordPress Plugin
usc-e-shop <= 2.8.3
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-11-07
The plugin does not sanitize and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting (XSS) attacks.
CVE ID:
CVE-2022-4124
WordPress Plugin
popup-manager <= 1.6.6
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization
Date:
2022-11-07
The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when deleting popups, which could allow unauthenticated users to delete them.
CVE ID:
CVE-2022-4125
WordPress Plugin
popup-manager <= 1.6.6
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS),
Missing Authorization
Date:
2022-11-07
The plugin does not have authorization and Cross-Site Request Forgery (CSRF) check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored Cross-Site Scripting (XSS) payloads as well.
CVE ID:
CVE-2022-3937
WordPress Plugin
easy-video-player <= 1.2.2.2
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-11-07
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.
CVE ID:
CVE-2022-3994
WordPress Plugin
authenticator <= 1.3.0
Vulnerability Type:
Denial of Service (DOS)
Date:
2022-11-07
The plugin does not prevent subscribers from updating a site’s feed access token, which may deny other users access to the functionality in certain configurations.
CVE ID:
CVE-2022-3961
WordPress Plugin
directorist <= 7.4.3
Vulnerability Type:
Missing Authorization
Date:
2022-11-07
The plugin does not prevent users with low privileges (like subscribers) from accessing sensitive system information.
CVE ID:
CVE-2022-3894
WordPress Plugin
oauth2-provider <= 4.2.3
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-11-07
The plugin does not have Cross-Site Request Forgery (CSRF) check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2022-3923
WordPress Plugin
activecampaign-for-woocommerce <= 1.9.7
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization
Date:
2022-11-07
The plugin does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs.
CVE ID:
CVE-2022-3891
WordPress Plugin
wp-fullcalendar <= 1.4.1
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization
Date:
2022-11-07
The plugin does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones.
CVE ID:
CVE-2022-3892
WordPress Plugin
oauth2-provider <= 4.2.1
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-11-07
The plugin does not sanitize and escape client ids, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVE ID:
CVE-2022-43472
WordPress Plugin
eroom-zoom-meetings-webinar <= 1.4.6
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization,
Sensitive Data Disclosure
Date:
2022-10-25
The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in the stm_wpcfto_get_settings AJAX action, which could allow any authenticated users to call it and retrieve meeting’s data.
CVE ID:
CVE-2022-38063
WordPress Plugin
social-login-wp <= 5.0.0
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-17
The plugin does not have Cross-Site Request Forgery (CSRF) check when updating user social login option, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2022-38456
WordPress Plugin
ajax-search-lite <= 4.10.3
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization,
Sensitive Data Disclosure
Date:
2022-10-17
The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in the wd_search_cf AJAX action, which could allow any authenticated users to call it and retrieve arbitrary post metadata.
CVE ID:
CVE-2022-41655
WordPress Plugin
phone-orders-for-woocommerce <= 3.7.1
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization,
Sensitive Data Disclosure
Date:
2022-10-17
The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in the phone-orders-for-woocommerce AJAX action, which could allow any authenticated users to call it and retrieve user’s personal data.
CVE ID:
CVE-2022-43482
WordPress Plugin
appointment-booking-calendar <= 1.3.69
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2022-41692
WordPress Plugin
appointment-hour-booking <= 1.3.71
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2023-25037
WordPress Plugin
booking-calendar-contact-form <= 1.2.34
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2023-28494
WordPress Plugin
contact-form-to-email <= 1.3.31
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2023-27460
WordPress Plugin
cp-contact-form-with-paypal <= 1.3.34
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2023-28492
WordPress Plugin
cp-multi-view-calendar <= 1.4.10
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2022-41790
WordPress Plugin
wp-time-slots-booking-form <= 1.1.76
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.
CVE ID:
CVE-2023-41732
WordPress Plugin
cp-blocks <= 1.0.20
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.