Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-4451
Publication date:
16/01/2023
The Social Sharing WordPress plugin before 3.3.45 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2022-4309
Publication date:
16/01/2023
The Subscribe2 WordPress plugin before 10.38 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete arbitrary users by knowing their email via a CSRF attack.
Severity CVSS v4.0: Pending analysis
Last modification:
07/04/2025

CVE-2022-4320
Publication date:
16/01/2023
The WordPress Events Calendar WordPress plugin before 1.4.5 does not sanitize and escapes a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high-privilege ones like admin).
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2022-4431
Publication date:
16/01/2023
The WOOCS WordPress plugin before 1.3.9.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2022-4442
Publication date:
16/01/2023
The Custom Post Types and Custom Fields creator WordPress plugin before 2.3.3 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2022-4060
Publication date:
16/01/2023
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2022-4101
Publication date:
16/01/2023
The Images Optimize and Upload CF7 WordPress plugin through 2.1.4 does not validate the file to be deleted via an AJAX action available to unauthenticated users, which could allow them to delete arbitrary files on the server via path traversal attack.
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2022-4199
Publication date:
16/01/2023
The Link Library WordPress plugin before 7.4.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025

CVE-2022-4327
Publication date:
16/01/2023
Rejected reason: This issue does not bear any security risk as it's only exploitable by users with administrator or super-administrator roles, who can already do what they want on their site.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2022-4330
Publication date:
16/01/2023
The WP Attachments WordPress plugin before 5.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity CVSS v4.0: Pending analysis
Last modification:
21/01/2024

CVE-2022-47630
Publication date:
16/01/2023
Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.
Severity CVSS v4.0: Pending analysis
Last modification:
08/04/2025

CVE-2022-2658
Publication date:
16/01/2023
The WP Spell Check WordPress plugin before 9.13 does not escape ignored words, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
04/04/2025
Subscribe to Vulnerabilities