From DHS/US-CERT’s Nationwide Vulnerability Database
CVE-2022-2799
PUBLISHED: 2022-09-16
The Associates Supervisor WordPress plugin earlier than 2.9.14 doesn’t sanitise and escape a few of its settings, which might enable excessive privilege customers to carry out Cross-Website Scripting assaults even when the unfiltered_html functionality is disallowed.
CVE-2022-2863
PUBLISHED: 2022-09-16
The Migration, Backup, Staging WordPress plugin earlier than 0.9.76 doesn’t sanitise and validate a parameter earlier than utilizing it to learn the content material of a file, permitting excessive privilege customers to learn any file from the online server by way of a Traversal assault
CVE-2022-2877
PUBLISHED: 2022-09-16
The Titan Anti-spam & Safety WordPress plugin earlier than 7.3.1 doesn’t correctly checks HTTP headers to be able to validate the origin IP handle, permitting menace actors to bypass it is block function by spoofing the headers.
CVE-2022-2887
PUBLISHED: 2022-09-16
The WP Server Well being Stats WordPress plugin earlier than 1.7.0 doesn’t escape a few of its settings, which might enable excessive privilege customers to carry out Cross-Website Scripting assaults even when the unfiltered_html functionality is disallowed.
CVE-2022-2912
PUBLISHED: 2022-09-16
The Craw Information WordPress plugin via 1.0.0 doesn’t implement nonce checks, which might enable attackers to make a logged in admin change the url worth performing undesirable crawls on third-party websites (SSRF).