CVE-2022-24813
CreateWiki is Miraheze’s MediaWiki extension for requesting & creating wikis. Without the patch for this issue, anonymous comments can be made using Special:RequestWikiQueue when sent directly via POST. A patch for this issue is available in the `master` branch of CreateWiki’s GitHub repository.
Source: CVE-2022-24813
CVE-2022-24785
Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js.
Source: CVE-2022-24785
CVE-2020-28062
An Access Control vulnerability exists in HisiPHP 2.0.11 via special packets that are constructed in $files = Dir::getList($decompath. ‘/ Upload/Plugins /, which could let a remote malicious user execute arbitrary code.
Source: CVE-2020-28062
CVE-2022-1170
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests.
Source: CVE-2022-1170
CVE-2022-1168
There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before 1.5.1.
Source: CVE-2022-1168
CVE-2022-0887
The Easy Social Icons WordPress plugin before 3.1.4 does not sanitize the selected_icons attribute to the cnss_widget before using it in an SQL statement, leading to a SQL injection vulnerability.
Source: CVE-2022-0887
CVE-2022-1167
There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters.
Source: CVE-2022-1167
CVE-2022-1166
The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file. This could expose personal data such as people’s resumes. Although Directory Listing can be prevented by securely configuring the web server, vendors can also take measures to make it less likely to happen.
Source: CVE-2022-1166
CVE-2022-1165
The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.
Source: CVE-2022-1165