National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): wordpress
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 1,691 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2018-19287

XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.

Published: November 15, 2018; 01:29:00 AM -05:00
(not available)
CVE-2018-19207

The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.

Published: November 12, 2018; 12:29:00 PM -05:00
(not available)
CVE-2018-18919

The WP Editor.md plugin 10.0.1 for WordPress allows XSS via the comment area.

Published: November 04, 2018; 01:29:00 AM -05:00
(not available)
CVE-2018-18655

Prayer through 1.3.5 sends a Referer header, containing a user's username, when a user clicks on a link in their email because header.t lacks a no-referrer setting.

Published: October 25, 2018; 08:29:00 PM -04:00
V3: 4.3 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-18398

Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input method for file searches within File Manager, leading to an out-of-bounds read and SEGV. This could potentially be exploited by an arbitrary local user who creates files in /tmp before the victim uses this input method.

Published: October 19, 2018; 06:29:01 PM -04:00
(not available)
CVE-2018-18461

The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments[] data to models/attachment.php.

Published: October 18, 2018; 02:29:01 AM -04:00
(not available)
CVE-2018-18460

XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress via the modules/gdpr.php term parameter in a wp-admin/admin.php wplivechat-menu-gdpr-page request.

Published: October 18, 2018; 02:29:01 AM -04:00
(not available)
CVE-2018-18373

In the Schiocco "Support Board - Chat And Help Desk" plugin 1.2.3 for WordPress, a Stored XSS vulnerability has been discovered in file upload areas in the Chat and Help Desk sections via the msg parameter in a /wp-admin/admin-ajax.php sb_ajax_add_message action.

Published: October 17, 2018; 10:29:01 AM -04:00
(not available)
CVE-2018-7633

Code injection in the /ui/login form Language parameter in Epicentro E_7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request.

Published: October 09, 2018; 06:29:02 PM -04:00
(not available)
CVE-2018-7632

Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to cause a denial of service attack remotely via a specially crafted GET request with a leading "/" in the URL.

Published: October 09, 2018; 06:29:01 PM -04:00
(not available)
CVE-2018-7631

Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to execute code remotely via a specially crafted GET request without a leading "/" and without authentication.

Published: October 09, 2018; 06:29:01 PM -04:00
(not available)
CVE-2018-17866

Multiple cross-site scripting (XSS) vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field.

Published: October 09, 2018; 06:29:00 PM -04:00
(not available)
CVE-2018-18069

process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php.

Published: October 08, 2018; 06:29:00 PM -04:00
(not available)
CVE-2015-9273

The wp-slimstat (aka Slimstat Analytics) plugin before 4.1.6.1 for WordPress has XSS via an HTTP Referer header, or via a field associated with JavaScript-based Referer tracking.

Published: October 07, 2018; 01:29:00 PM -04:00
(not available)
CVE-2015-9272

The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code.

Published: October 05, 2018; 02:29:00 AM -04:00
(not available)
CVE-2014-10076

The wp-db-backup plugin 2.2.4 for WordPress relies on a five-character string for access control, which makes it easier for remote attackers to read backup archives via a brute-force attack.

Published: October 05, 2018; 02:29:00 AM -04:00
(not available)
CVE-2015-9271

The VideoWhisper videowhisper-video-conference-integration plugin 4.91.8 for WordPress allows remote attackers to execute arbitrary code because vc/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code, a different vulnerability than CVE-2014-1905.

Published: October 04, 2018; 07:29:00 PM -04:00
(not available)
CVE-2018-17562

Multi-Tech FaxFinder before 5.1.6 has SQL Injection via a status/call_details?oid= URI, allowing an attacker to extract the underlying database schema to further disclose other fax server information through different injection points.

Published: October 03, 2018; 04:29:16 PM -04:00
(not available)
CVE-2018-17947

The Snazzy Maps plugin before 1.1.5 for WordPress has XSS via the text or tab parameter.

Published: October 03, 2018; 04:29:00 AM -04:00
(not available)
CVE-2018-17946

The Tribulant Slideshow Gallery plugin before 1.6.6.1 for WordPress has XSS via the id, method, Gallerymessage, Galleryerror, or Galleryupdated parameter.

Published: October 03, 2018; 04:29:00 AM -04:00
(not available)