National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Wordpress
There are 2,804 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2012-6649

WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute arbitrary PHP code via improper file upload.

Published: January 23, 2020; 05:15:09 PM -05:00
(not available)
CVE-2014-7238

The WordPress plugin Contact Form Integrated With Google Maps 1.0-2.4 has Stored XSS

Published: January 23, 2020; 10:15:13 AM -05:00
(not available)
CVE-2012-4919

Gallery Plugin1.4 for WordPress has a Remote File Include Vulnerability

Published: January 22, 2020; 02:15:10 PM -05:00
(not available)
CVE-2020-7109

The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template.

Published: January 22, 2020; 12:15:11 PM -05:00
(not available)
CVE-2020-7228

The Calculated Fields Form plugin through 1.0.353 for WordPress suffers from multiple Stored XSS vulnerabilities present in the input forms. These can be exploited by an authenticated user.

Published: January 22, 2020; 10:15:11 AM -05:00
(not available)
CVE-2020-6849

The marketo-forms-and-tracking plugin through 1.0.2 for WordPress allows wp-admin/admin.php?page=marketo_fat CSRF with resultant XSS.

Published: January 21, 2020; 02:15:14 PM -05:00
(not available)
CVE-2016-11018

An issue was discovered in the Huge-IT gallery-images plugin before 1.9.0 for WordPress. The headers Client-Ip and X-Forwarded-For are prone to unauthenticated SQL injection. The affected file is gallery-images.php. The affected function is huge_it_image_gallery_ajax_callback().

Published: January 21, 2020; 02:15:12 PM -05:00
(not available)
CVE-2020-7239

The conversation-watson plugin before 0.8.21 for WordPress has a DOM-based XSS vulnerability that is executed when a chat message containing JavaScript is sent.

Published: January 21, 2020; 12:15:11 AM -05:00
(not available)
CVE-2020-7241

The WP Database Backup plugin through 5.5 for WordPress stores downloads by default locally in the directory wp-content/uploads/db-backup/. This might allow attackers to read ZIP archives by guessing random ID numbers, guessing date strings with a 2020_{0..1}{0..2}_{0..3}{0..9} format, guessing UNIX timestamps, and making HTTPS requests with the complete guessed URL.

Published: January 20, 2020; 03:15:11 PM -05:00
(not available)
CVE-2020-7104

The chained-quiz plugin 1.1.8.1 for WordPress has reflected XSS via the wp-admin/admin-ajax.php total_questions parameter.

Published: January 17, 2020; 06:15:13 PM -05:00
(not available)
CVE-2020-7048

The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI.

Published: January 16, 2020; 04:15:12 PM -05:00
(not available)
CVE-2020-7047

The WordPress plugin, WP Database Reset through 3.1, contains a flaw that gave any authenticated user, with minimal permissions, the ability (with a simple wp-admin/admin.php?db-reset-tables[]=users request) to escalate their privileges to administrator while dropping all other users from the table.

Published: January 16, 2020; 04:15:12 PM -05:00
(not available)
CVE-2020-7108

The LearnDash LMS plugin before 3.1.2 for WordPress allows XSS via the ld-profile search field.

Published: January 16, 2020; 12:15:12 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-7107

The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/DisplayFAQs.php.

Published: January 16, 2020; 12:15:11 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-5484

Cross-site scripting (XSS) vulnerability in the Plotly plugin before 1.0.3 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via a post.

Published: January 15, 2020; 11:15:12 AM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2019-20212

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20211

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20210

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20209

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing.

Published: January 13, 2020; 01:15:13 PM -05:00
V3.1: 7.5 HIGH
    V2: 6.4 MEDIUM
CVE-2020-6859

Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image.

Published: January 13, 2020; 12:15:11 PM -05:00
V3.1: 5.3 MEDIUM
    V2: 5.0 MEDIUM