Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities by Lester 'GaMerZ' Chan
CVE-2023-22715 (GCVE-0-2023-22715)
Vulnerability from nvd – Published: 2023-03-23 12:31 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-CommentNavi Plugin <= 1.12.1 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Lester 'GaMerZ' Chan WP-CommentNavi plugin <= 1.12.1 versions.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-CommentNavi |
Affected:
n/a , ≤ 1.12.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:50.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-commentnavi/wordpress-wp-commentnavi-plugin-1-12-1-cross-site-scripting-xss?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T20:49:52.536625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T21:38:37.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "WP-CommentNavi",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"changes": [
{
"at": "1.12.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.12.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rio Darmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Lester \u0027GaMerZ\u0027 Chan WP-CommentNavi plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.12.1 versions.\u003c/span\u003e"
}
],
"value": "Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Lester \u0027GaMerZ\u0027 Chan WP-CommentNavi plugin \u003c=\u00a01.12.1 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:59.617Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-commentnavi/wordpress-wp-commentnavi-plugin-1-12-1-cross-site-scripting-xss?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.12.2 or a higher version."
}
],
"value": "Update to\u00a01.12.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-CommentNavi Plugin \u003c= 1.12.1 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-22715",
"datePublished": "2023-03-23T12:31:35.221Z",
"dateReserved": "2023-01-06T12:03:03.057Z",
"dateUpdated": "2026-04-28T16:07:59.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-40130 (GCVE-0-2022-40130)
Vulnerability from nvd – Published: 2022-11-18 22:31 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-Polls plugin <= 2.76.0 - Auth. Race Condition vulnerability
Summary
Auth. (subscriber+) Race Condition vulnerability in WP-Polls plugin <= 2.76.0 on WordPress.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Race condition
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-Polls (WordPress plugin) |
Affected:
<= 2.76.0 , ≤ 2.76.0
(custom)
|
Date Public
2022-10-05 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-polls/wordpress-wp-polls-plugin-2-76-0-race-condition-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-polls/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:19:46.255662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:49:58.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP-Polls (WordPress plugin)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"lessThanOrEqual": "2.76.0",
"status": "affected",
"version": "\u003c= 2.76.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Nguy Minh Tuan (Patchstack Alliance)"
}
],
"datePublic": "2022-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (subscriber+) Race Condition vulnerability in WP-Polls plugin \u003c= 2.76.0 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Race condition",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:47.694Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/wp-polls/wordpress-wp-polls-plugin-2-76-0-race-condition-vulnerability?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/wp-polls/#developers"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.77.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-Polls plugin \u003c= 2.76.0 - Auth. Race Condition vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-40130",
"datePublished": "2022-11-18T22:31:42.678Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:47.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-36422 (GCVE-0-2022-36422)
Vulnerability from nvd – Published: 2022-09-09 14:39 – Updated: 2026-04-28 16:07
VLAI
Title
WP-PostRatings plugin <= 1.89 - Rating increase/decrease via race condition
Summary
Rating increase/decrease via race condition in Lester 'GaMerZ' Chan WP-PostRatings plugin <= 1.89 at WordPress.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Race condition
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | x_refsource_CONFIRM |
| https://wordpress.org/plugins/wp-postratings/#dev… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-PostRatings (WordPress plugin) |
Affected:
<= 1.89 , ≤ 1.89
(custom)
|
Date Public
2022-08-31 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:07:34.067Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-89-rating-increase-decrease-via-race-condition-vulnerability/_s_id=cve"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-postratings/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:25:36.271272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:08:06.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP-PostRatings (WordPress plugin)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"lessThanOrEqual": "1.89",
"status": "affected",
"version": "\u003c= 1.89",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Nguy Minh Tuan (Patchstack Alliance)"
}
],
"datePublic": "2022-08-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Rating increase/decrease via race condition in Lester \u0027GaMerZ\u0027 Chan WP-PostRatings plugin \u003c= 1.89 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Race condition",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:46.278Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-89-rating-increase-decrease-via-race-condition-vulnerability/_s_id=cve"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/wp-postratings/#developers"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.90 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP-PostRatings plugin \u003c= 1.89 - Rating increase/decrease via race condition",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-31T07:24:00.000Z",
"ID": "CVE-2022-36422",
"STATE": "PUBLIC",
"TITLE": "WP-PostRatings plugin \u003c= 1.89 - Rating increase/decrease via race condition"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP-PostRatings (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.89",
"version_value": "1.89"
}
]
}
}
]
},
"vendor_name": "Lester \u0027GaMerZ\u0027 Chan"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Nguy Minh Tuan (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rating increase/decrease via race condition in Lester \u0027GaMerZ\u0027 Chan WP-PostRatings plugin \u003c= 1.89 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Race condition"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-89-rating-increase-decrease-via-race-condition-vulnerability/_s_id=cve",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-89-rating-increase-decrease-via-race-condition-vulnerability/_s_id=cve"
},
{
"name": "https://wordpress.org/plugins/wp-postratings/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-postratings/#developers"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.90 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36422",
"datePublished": "2022-09-09T14:39:52.886Z",
"dateReserved": "2022-08-09T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:46.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25606 (GCVE-0-2022-25606)
Vulnerability from nvd – Published: 2022-03-25 18:02 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-DownloadManager plugin <= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
Summary
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/wp-downloadmanager/… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/wp-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-DownloadManager (WordPress) |
Affected:
<= 1.68.5 , ≤ 1.68.5
(custom)
|
Date Public
2022-01-10 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:50.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-5-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:32:36.647020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:29:34.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP-DownloadManager (WordPress)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"lessThanOrEqual": "1.68.5",
"status": "affected",
"version": "\u003c= 1.68.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Ex.Mi (Patchstack)."
}
],
"datePublic": "2022-01-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6). Vulnerable parameters \u0026download_path, \u0026download_path_url, \u0026download_page_url, \u0026download_categories."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:39.107Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-5-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.68.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-DownloadManager plugin \u003c= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-01-10T13:42:00.000Z",
"ID": "CVE-2022-25606",
"STATE": "PUBLIC",
"TITLE": "WordPress WP-DownloadManager plugin \u003c= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP-DownloadManager (WordPress)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.68.5",
"version_value": "1.68.5"
}
]
}
}
]
},
"vendor_name": "Lester \u0027GaMerZ\u0027 Chan"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Ex.Mi (Patchstack)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6). Vulnerable parameters \u0026download_path, \u0026download_path_url, \u0026download_page_url, \u0026download_categories."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/wp-downloadmanager/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-5-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-5-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.68.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-25606",
"datePublished": "2022-03-25T18:02:32.949Z",
"dateReserved": "2022-02-21T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:39.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25605 (GCVE-0-2022-25605)
Vulnerability from nvd – Published: 2022-03-18 18:00 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-DownloadManager plugin <= 1.68.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
Summary
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/wp-downloadmanager/… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/wp-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-DownloadManager (WordPress) |
Affected:
<= 1.68.6 , ≤ 1.68.6
(custom)
|
Date Public
2022-01-12 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:49.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:32:48.830485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:30:10.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP-DownloadManager (WordPress)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"lessThanOrEqual": "1.68.6",
"status": "affected",
"version": "\u003c= 1.68.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Ex.Mi (Patchstack)."
}
],
"datePublic": "2022-01-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6). Vvulnerable parameters \u0026download_path, \u0026download_path_url, \u0026download_page_url."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:39.102Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.68.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-DownloadManager plugin \u003c= 1.68.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-01-12T13:42:00.000Z",
"ID": "CVE-2022-25605",
"STATE": "PUBLIC",
"TITLE": "WordPress WP-DownloadManager plugin \u003c= 1.68.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP-DownloadManager (WordPress)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.68.6",
"version_value": "1.68.6"
}
]
}
}
]
},
"vendor_name": "Lester \u0027GaMerZ\u0027 Chan"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Ex.Mi (Patchstack)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6). Vvulnerable parameters \u0026download_path, \u0026download_path_url, \u0026download_page_url."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/wp-downloadmanager/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.68.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-25605",
"datePublished": "2022-03-18T18:00:27.446Z",
"dateReserved": "2022-02-21T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:39.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-44760 (GCVE-0-2021-44760)
Vulnerability from nvd – Published: 2022-03-18 18:00 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-DownloadManager plugin <= 1.68.6 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability
Summary
Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin <= 1.68.6 versions.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-DownloadManager (WordPress plugin) |
Affected:
n/a , ≤ 1.68.6
(custom)
|
Date Public
2021-12-27 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:06:57.548295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:45:55.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-downloadmanager",
"product": "WP-DownloadManager (WordPress plugin)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"changes": [
{
"at": "1.68.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.68.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "thiennv (Patchstack Alliance)"
}
],
"datePublic": "2021-12-27T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin \u003c= 1.68.6 versions.\u003c/p\u003e"
}
],
"value": "Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin \u003c= 1.68.6 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:38.236Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to 1.68.7 or higher version.\u003c/p\u003e"
}
],
"value": "Update to 1.68.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-DownloadManager plugin \u003c= 1.68.6 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-12-28T08:23:00.000Z",
"ID": "CVE-2021-44760",
"STATE": "PUBLIC",
"TITLE": "WordPress WP-DownloadManager plugin \u003c= 1.68.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP-DownloadManager (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.68.6",
"version_value": "1.68.6"
}
]
}
}
]
},
"vendor_name": "Lester \u0027GaMerZ\u0027 Chan"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Ngo Van Thien (Patchstack Red Team project)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/wp-downloadmanager/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.68.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-44760",
"datePublished": "2022-03-18T18:00:23.573Z",
"dateReserved": "2022-01-13T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:38.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-22715 (GCVE-0-2023-22715)
Vulnerability from cvelistv5 – Published: 2023-03-23 12:31 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-CommentNavi Plugin <= 1.12.1 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Lester 'GaMerZ' Chan WP-CommentNavi plugin <= 1.12.1 versions.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-CommentNavi |
Affected:
n/a , ≤ 1.12.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:50.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-commentnavi/wordpress-wp-commentnavi-plugin-1-12-1-cross-site-scripting-xss?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T20:49:52.536625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T21:38:37.567Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "WP-CommentNavi",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"changes": [
{
"at": "1.12.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.12.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rio Darmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Lester \u0027GaMerZ\u0027 Chan WP-CommentNavi plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.12.1 versions.\u003c/span\u003e"
}
],
"value": "Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Lester \u0027GaMerZ\u0027 Chan WP-CommentNavi plugin \u003c=\u00a01.12.1 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:59.617Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-commentnavi/wordpress-wp-commentnavi-plugin-1-12-1-cross-site-scripting-xss?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.12.2 or a higher version."
}
],
"value": "Update to\u00a01.12.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-CommentNavi Plugin \u003c= 1.12.1 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-22715",
"datePublished": "2023-03-23T12:31:35.221Z",
"dateReserved": "2023-01-06T12:03:03.057Z",
"dateUpdated": "2026-04-28T16:07:59.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-40130 (GCVE-0-2022-40130)
Vulnerability from cvelistv5 – Published: 2022-11-18 22:31 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-Polls plugin <= 2.76.0 - Auth. Race Condition vulnerability
Summary
Auth. (subscriber+) Race Condition vulnerability in WP-Polls plugin <= 2.76.0 on WordPress.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Race condition
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-Polls (WordPress plugin) |
Affected:
<= 2.76.0 , ≤ 2.76.0
(custom)
|
Date Public
2022-10-05 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:14:39.758Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-polls/wordpress-wp-polls-plugin-2-76-0-race-condition-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-polls/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-40130",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:19:46.255662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:49:58.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP-Polls (WordPress plugin)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"lessThanOrEqual": "2.76.0",
"status": "affected",
"version": "\u003c= 2.76.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Nguy Minh Tuan (Patchstack Alliance)"
}
],
"datePublic": "2022-10-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (subscriber+) Race Condition vulnerability in WP-Polls plugin \u003c= 2.76.0 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Race condition",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:47.694Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/wp-polls/wordpress-wp-polls-plugin-2-76-0-race-condition-vulnerability?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/wp-polls/#developers"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.77.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-Polls plugin \u003c= 2.76.0 - Auth. Race Condition vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-40130",
"datePublished": "2022-11-18T22:31:42.678Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:47.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-36422 (GCVE-0-2022-36422)
Vulnerability from cvelistv5 – Published: 2022-09-09 14:39 – Updated: 2026-04-28 16:07
VLAI
Title
WP-PostRatings plugin <= 1.89 - Rating increase/decrease via race condition
Summary
Rating increase/decrease via race condition in Lester 'GaMerZ' Chan WP-PostRatings plugin <= 1.89 at WordPress.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Race condition
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | x_refsource_CONFIRM |
| https://wordpress.org/plugins/wp-postratings/#dev… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-PostRatings (WordPress plugin) |
Affected:
<= 1.89 , ≤ 1.89
(custom)
|
Date Public
2022-08-31 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:07:34.067Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-89-rating-increase-decrease-via-race-condition-vulnerability/_s_id=cve"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-postratings/#developers"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:25:36.271272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:08:06.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP-PostRatings (WordPress plugin)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"lessThanOrEqual": "1.89",
"status": "affected",
"version": "\u003c= 1.89",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Nguy Minh Tuan (Patchstack Alliance)"
}
],
"datePublic": "2022-08-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Rating increase/decrease via race condition in Lester \u0027GaMerZ\u0027 Chan WP-PostRatings plugin \u003c= 1.89 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Race condition",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:46.278Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-89-rating-increase-decrease-via-race-condition-vulnerability/_s_id=cve"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/wp-postratings/#developers"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.90 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP-PostRatings plugin \u003c= 1.89 - Rating increase/decrease via race condition",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-08-31T07:24:00.000Z",
"ID": "CVE-2022-36422",
"STATE": "PUBLIC",
"TITLE": "WP-PostRatings plugin \u003c= 1.89 - Rating increase/decrease via race condition"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP-PostRatings (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.89",
"version_value": "1.89"
}
]
}
}
]
},
"vendor_name": "Lester \u0027GaMerZ\u0027 Chan"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Nguy Minh Tuan (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rating increase/decrease via race condition in Lester \u0027GaMerZ\u0027 Chan WP-PostRatings plugin \u003c= 1.89 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Race condition"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-89-rating-increase-decrease-via-race-condition-vulnerability/_s_id=cve",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-89-rating-increase-decrease-via-race-condition-vulnerability/_s_id=cve"
},
{
"name": "https://wordpress.org/plugins/wp-postratings/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-postratings/#developers"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.90 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36422",
"datePublished": "2022-09-09T14:39:52.886Z",
"dateReserved": "2022-08-09T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:46.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25606 (GCVE-0-2022-25606)
Vulnerability from cvelistv5 – Published: 2022-03-25 18:02 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-DownloadManager plugin <= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
Summary
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vulnerable parameters &download_path, &download_path_url, &download_page_url, &download_categories.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/wp-downloadmanager/… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/wp-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-DownloadManager (WordPress) |
Affected:
<= 1.68.5 , ≤ 1.68.5
(custom)
|
Date Public
2022-01-10 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:50.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-5-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:32:36.647020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:29:34.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP-DownloadManager (WordPress)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"lessThanOrEqual": "1.68.5",
"status": "affected",
"version": "\u003c= 1.68.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Ex.Mi (Patchstack)."
}
],
"datePublic": "2022-01-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6). Vulnerable parameters \u0026download_path, \u0026download_path_url, \u0026download_page_url, \u0026download_categories."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:39.107Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-5-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.68.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-DownloadManager plugin \u003c= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-01-10T13:42:00.000Z",
"ID": "CVE-2022-25606",
"STATE": "PUBLIC",
"TITLE": "WordPress WP-DownloadManager plugin \u003c= 1.68.5 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP-DownloadManager (WordPress)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.68.5",
"version_value": "1.68.5"
}
]
}
}
]
},
"vendor_name": "Lester \u0027GaMerZ\u0027 Chan"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Ex.Mi (Patchstack)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6). Vulnerable parameters \u0026download_path, \u0026download_path_url, \u0026download_page_url, \u0026download_categories."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/wp-downloadmanager/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-5-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-5-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.68.6 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-25606",
"datePublished": "2022-03-25T18:02:32.949Z",
"dateReserved": "2022-02-21T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:39.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-25605 (GCVE-0-2022-25605)
Vulnerability from cvelistv5 – Published: 2022-03-18 18:00 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-DownloadManager plugin <= 1.68.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
Summary
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions <= 1.68.6). Vvulnerable parameters &download_path, &download_path_url, &download_page_url.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/wp-downloadmanager/… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/wp-… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-DownloadManager (WordPress) |
Affected:
<= 1.68.6 , ≤ 1.68.6
(custom)
|
Date Public
2022-01-12 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:49.984Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-25605",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:32:48.830485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:30:10.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP-DownloadManager (WordPress)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"lessThanOrEqual": "1.68.6",
"status": "affected",
"version": "\u003c= 1.68.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Ex.Mi (Patchstack)."
}
],
"datePublic": "2022-01-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6). Vvulnerable parameters \u0026download_path, \u0026download_path_url, \u0026download_page_url."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:39.102Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.68.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-DownloadManager plugin \u003c= 1.68.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-01-12T13:42:00.000Z",
"ID": "CVE-2022-25605",
"STATE": "PUBLIC",
"TITLE": "WordPress WP-DownloadManager plugin \u003c= 1.68.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP-DownloadManager (WordPress)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.68.6",
"version_value": "1.68.6"
}
]
}
}
]
},
"vendor_name": "Lester \u0027GaMerZ\u0027 Chan"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Ex.Mi (Patchstack)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6). Vvulnerable parameters \u0026download_path, \u0026download_path_url, \u0026download_page_url."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/wp-downloadmanager/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.68.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-25605",
"datePublished": "2022-03-18T18:00:27.446Z",
"dateReserved": "2022-02-21T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:39.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-44760 (GCVE-0-2021-44760)
Vulnerability from cvelistv5 – Published: 2022-03-18 18:00 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress WP-DownloadManager plugin <= 1.68.6 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability
Summary
Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin <= 1.68.6 versions.
Severity
4.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lester 'GaMerZ' Chan | WP-DownloadManager (WordPress plugin) |
Affected:
n/a , ≤ 1.68.6
(custom)
|
Date Public
2021-12-27 22:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-44760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:06:57.548295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:45:55.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-downloadmanager",
"product": "WP-DownloadManager (WordPress plugin)",
"vendor": "Lester \u0027GaMerZ\u0027 Chan",
"versions": [
{
"changes": [
{
"at": "1.68.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.68.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "thiennv (Patchstack Alliance)"
}
],
"datePublic": "2021-12-27T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAuth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin \u003c= 1.68.6 versions.\u003c/p\u003e"
}
],
"value": "Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager plugin \u003c= 1.68.6 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:38.236Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate to 1.68.7 or higher version.\u003c/p\u003e"
}
],
"value": "Update to 1.68.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP-DownloadManager plugin \u003c= 1.68.6 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-12-28T08:23:00.000Z",
"ID": "CVE-2021-44760",
"STATE": "PUBLIC",
"TITLE": "WordPress WP-DownloadManager plugin \u003c= 1.68.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP-DownloadManager (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.68.6",
"version_value": "1.68.6"
}
]
}
}
]
},
"vendor_name": "Lester \u0027GaMerZ\u0027 Chan"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by Ngo Van Thien (Patchstack Red Team project)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated Reflected Cross-Site Scripting (XSS) vulnerability discovered in WP-DownloadManager WordPress plugin (versions \u003c= 1.68.6)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/wp-downloadmanager/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-downloadmanager/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/wp-downloadmanager/wordpress-wp-downloadmanager-plugin-1-68-6-authenticated-reflected-cross-site-scripting-xss-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.68.7 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-44760",
"datePublished": "2022-03-18T18:00:23.573Z",
"dateReserved": "2022-01-13T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:38.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}