National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): wordpress themes
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 53 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2020-4049

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Published: June 12, 2020; 12:15:10 PM -04:00
V3.1: 2.4 LOW
    V2: 3.5 LOW
CVE-2020-12054

The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a search query). Also affected are 16 themes (if the plugin is enabled) by the same author: Alchemist and Alchemist PRO, Izabel and Izabel PRO, Chique and Chique PRO, Clean Enterprise and Clean Enterprise PRO, Bold Photography PRO, Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, and Higher Education PRO.

Published: April 23, 2020; 11:15:14 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-9003

A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.

Published: February 20, 2020; 05:15:12 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2020-8549

Stored XSS in the Strong Testimonials plugin before 2.40.1 for WordPress can result in an attacker performing malicious actions such as stealing session tokens.

Published: February 03, 2020; 12:15:17 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20212

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20211

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20210

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20209

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing.

Published: January 13, 2020; 01:15:13 PM -05:00
V3.1: 7.5 HIGH
    V2: 6.4 MEDIUM
CVE-2020-6166

A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes.

Published: January 09, 2020; 03:15:11 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 5.5 MEDIUM
CVE-2015-9437

The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config page_limit parameter.

Published: September 25, 2019; 10:15:10 PM -04:00
V3.1: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-9429

The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter.

Published: September 25, 2019; 09:15:10 PM -04:00
V3.1: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-11004

The Elegant Themes Monarch plugin before 1.2.7 for WordPress has privilege escalation.

Published: September 20, 2019; 11:15:13 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2016-11003

The Elegant Themes Bloom plugin before 1.1.1 for WordPress has privilege escalation.

Published: September 20, 2019; 11:15:13 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2016-11002

The Elegant Themes Extra theme before 1.2.4 for WordPress has privilege escalation.

Published: September 20, 2019; 11:15:13 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2015-9379

iThemes Builder Style Manager before 0.7.7 for WordPress has XSS via add_query_arg() and remove_query_arg().

Published: August 28, 2019; 09:15:11 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-9378

iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via add_query_arg() and remove_query_arg().

Published: August 28, 2019; 09:15:11 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-9377

iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via add_query_arg() and remove_query_arg().

Published: August 28, 2019; 09:15:11 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-9376

iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg() and remove_query_arg().

Published: August 28, 2019; 09:15:11 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-9375

Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Published: August 28, 2019; 09:15:11 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-9374

Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and remove_query_arg().

Published: August 28, 2019; 09:15:11 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM