Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2022-1692
Publication date:
08/06/2022
The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1709
Publication date:
08/06/2022
The Throws SPAM Away WordPress plugin before 3.3.1 does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1695
Publication date:
08/06/2022
The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1712
Publication date:
08/06/2022
The LiveSync for WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1647
Publication date:
08/06/2022
The FormCraft WordPress plugin before 1.2.6 does not sanitise and escape Field Labels, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1673
Publication date:
08/06/2022
The WooCommerce Green Wallet Gateway WordPress plugin before 1.0.2 does not escape the error_envision query parameter before outputting it to the page, leading to a Reflected Cross-Site Scripting vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1683
Publication date:
08/06/2022
The amtyThumb WordPress plugin through 4.2.0 does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user (and not just Author+ like the original advisory mention) due to the fact that they can execute shortcodes via an AJAX action
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1684
Publication date:
08/06/2022
The Cube Slider WordPress plugin through 1.2 does not sanitise and escape the idslider parameter before using it in various SQL queries, leading to SQL Injections exploitable by high privileged users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1685
Publication date:
08/06/2022
The Five Minute Webshop WordPress plugin through 1.3.2 does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1686
Publication date:
08/06/2022
The Five Minute Webshop WordPress plugin through 1.3.2 does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1687
Publication date:
08/06/2022
The Logo Slider WordPress plugin through 1.4.8 does not sanitise and escape the lsp_slider_id parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection
Severity CVSS v4.0: Pending analysis
Last modification:
15/06/2022

CVE-2022-1394
Publication date:
08/06/2022
The Photo Gallery by 10Web WordPress plugin before 1.6.4 does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed
Severity CVSS v4.0: Pending analysis
Last modification:
17/06/2022
Subscribe to Vulnerabilities