Live-Hack-CVE/CVE-2022-4268 The Plugin Logic WordPress plugin through 1.0.7 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin CVE project by @Sn0wAlice Create: 2022-12-27 16:38:34 +0000 UTC Push: 2022-12-27 16:38:36 +0000 UTC |

Live-Hack-CVE/CVE-2022-4267 The Bulk Delete Users by Email WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting CVE project by @Sn0wAlice Create: 2022-12-27 16:38:31 +0000 UTC Push: 2022-12-27 16:38:33 +0000 UTC |

Live-Hack-CVE/CVE-2022-4266 The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack CVE project by @Sn0wAlice Create: 2022-12-27 16:38:27 +0000 UTC Push: 2022-12-27 16:38:29 +0000 UTC |

Live-Hack-CVE/CVE-2022-4243 The ImageInject WordPress plugin through TODO does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE project by @Sn0wAlice Create: 2022-12-27 16:38:02 +0000 UTC Push: 2022-12-27 16:38:04 +0000 UTC |

Live-Hack-CVE/CVE-2022-4242 The WP Google Review Slider WordPress plugin before 11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE project by @Sn0wAlice Create: 2022-12-27 16:37:59 +0000 UTC Push: 2022-12-27 16:38:01 +0000 UTC |

Live-Hack-CVE/CVE-2022-4239 The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreap_addons_service_remove action, allowing any user to delete any post by knowing or guessing the id. CVE project by @Sn0wAlice Create: 2022-12-27 16:37:55 +0000 UTC Push: 2022-12-27 16:37:57 +0000 UTC |

Live-Hack-CVE/CVE-2022-4227 The Booster for WooCommerce WordPress plugin before 5.6.3, Booster Plus for WooCommerce WordPress plugin before 6.0.0, Booster Elite for WooCommerce WordPress plugin before 6.0.0 do not escape some URLs and parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting CVE project by @Sn0wAlice Create: 2022-12-27 16:37:51 +0000 UTC Push: 2022-12-27 16:37:54 +0000 UTC |

Live-Hack-CVE/CVE-2022-4226 The Simple Basic Contact Form WordPress plugin before 20221201 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE project by @Sn0wAlice Create: 2022-12-27 16:37:47 +0000 UTC Push: 2022-12-27 16:37:50 +0000 UTC |

Live-Hack-CVE/CVE-2022-4197 The Sliderby10Web WordPress plugin before 1.2.53 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVE project by @Sn0wAlice Create: 2022-12-27 16:37:44 +0000 UTC Push: 2022-12-27 16:37:46 +0000 UTC |

Live-Hack-CVE/CVE-2022-4166 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the addCountS POST parameter before concatenating it to an SQL query in 4_activate.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's dat CVE project by @Sn0wAlice Create: 2022-12-27 16:37:40 +0000 UTC Push: 2022-12-27 16:37:43 +0000 UTC |

Live-Hack-CVE/CVE-2022-4165 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive CVE project by @Sn0wAlice Create: 2022-12-27 16:37:37 +0000 UTC Push: 2022-12-27 16:37:39 +0000 UTC |

Live-Hack-CVE/CVE-2022-4164 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive informat CVE project by @Sn0wAlice Create: 2022-12-27 16:37:34 +0000 UTC Push: 2022-12-27 16:37:35 +0000 UTC |

Live-Hack-CVE/CVE-2022-4163 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_deactivate and cg_activate POST parameters before concatenating it to an SQL query in 2_deactivate.php and 4_activate.php, respectively. This may allow malicious users with at least author pri CVE project by @Sn0wAlice Create: 2022-12-27 16:37:30 +0000 UTC Push: 2022-12-27 16:37:32 +0000 UTC |

Live-Hack-CVE/CVE-2022-4162 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_row POST parameter before concatenating it to an SQL query in 3_row-order.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's datab CVE project by @Sn0wAlice Create: 2022-12-27 16:37:26 +0000 UTC Push: 2022-12-27 16:37:29 +0000 UTC |

Live-Hack-CVE/CVE-2022-4161 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_start POST parameter before concatenating it to an SQL query in copy-gallery-images.php. This may allow malicious users with at least author privilege to leak sensitive information from t CVE project by @Sn0wAlice Create: 2022-12-27 16:37:23 +0000 UTC Push: 2022-12-27 16:37:25 +0000 UTC |

Live-Hack-CVE/CVE-2022-4160 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_copy_id POST parameter before concatenating it to an SQL query in cg-copy-comments.php and cg-copy-rating.php. This may allow malicious users with at least author privilege to leak sensitive i CVE project by @Sn0wAlice Create: 2022-12-27 16:37:19 +0000 UTC Push: 2022-12-27 16:37:21 +0000 UTC |

Live-Hack-CVE/CVE-2022-4159 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_id POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's d CVE project by @Sn0wAlice Create: 2022-12-27 16:37:16 +0000 UTC Push: 2022-12-27 16:37:18 +0000 UTC |

Live-Hack-CVE/CVE-2022-4158 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's CVE project by @Sn0wAlice Create: 2022-12-27 16:37:12 +0000 UTC Push: 2022-12-27 16:37:14 +0000 UTC |

Live-Hack-CVE/CVE-2022-4157 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configuratio CVE project by @Sn0wAlice Create: 2022-12-27 16:37:09 +0000 UTC Push: 2022-12-27 16:37:11 +0000 UTC |

Live-Hack-CVE/CVE-2022-4156 The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the user_id POST parameter before concatenating it to an SQL query in ajax-functions-backend.php. This may allow malicious users with at least author privilege to leak sensitive information from the CVE project by @Sn0wAlice Create: 2022-12-27 16:37:05 +0000 UTC Push: 2022-12-27 16:37:07 +0000 UTC |