National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,457 matching records.
Displaying matches 1661 through 1680.
Vuln ID Summary CVSS Severity
CVE-2014-5368

Directory traversal vulnerability in the file_get_contents function in downloadfiles/download.php in the WP Content Source Control (wp-source-control) plugin 3.0.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter.

Published: August 22, 2014; 10:55:09 AM -04:00
    V2: 5.0 MEDIUM
CVE-2009-5142

Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

Published: August 21, 2014; 07:55:01 PM -04:00
    V2: 4.3 MEDIUM
CVE-2014-5347

Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin before 2.76 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) disqus_replace, (2) disqus_public_key, or (3) disqus_secret_key parameter to wp-admin/edit-comments.php in manage.php or that (4) reset or (5) delete plugin options via the reset parameter to wp-admin/edit-comments.php.

Published: August 19, 2014; 03:55:04 PM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5346

Multiple cross-site request forgery (CSRF) vulnerabilities in the Disqus Comment System plugin 2.77 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) activate or (2) deactivate the plugin via the active parameter to wp-admin/edit-comments.php, (3) import comments via an import_comments action, or (4) export comments via an export_comments action to wp-admin/index.php.

Published: August 19, 2014; 03:55:04 PM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5345

Cross-site scripting (XSS) vulnerability in upgrade.php in the Disqus Comment System plugin before 2.76 for WordPress allows remote attackers to inject arbitrary web script or HTML via the step parameter.

Published: August 19, 2014; 03:55:04 PM -04:00
    V2: 4.3 MEDIUM
CVE-2014-5344

Multiple cross-site scripting (XSS) vulnerabilities in the Mobiloud (mobiloud-mobile-app-plugin) plugin before 2.3.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information.

Published: August 19, 2014; 02:55:03 PM -04:00
    V2: 4.3 MEDIUM
CVE-2014-3903

Cross-site scripting (XSS) vulnerability in the Cakifo theme 1.x before 1.6.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via crafted Exif data.

Published: August 19, 2014; 07:16:59 AM -04:00
    V2: 3.5 LOW
CVE-2014-5266

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

Published: August 18, 2014; 07:15:27 AM -04:00
    V2: 5.0 MEDIUM
CVE-2014-5265

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Published: August 18, 2014; 07:15:27 AM -04:00
    V2: 5.0 MEDIUM
CVE-2014-5240

Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.

Published: August 18, 2014; 07:15:27 AM -04:00
    V2: 2.1 LOW
CVE-2014-5205

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Published: August 18, 2014; 07:15:26 AM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5204

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Published: August 18, 2014; 07:15:26 AM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5203

wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.

Published: August 18, 2014; 07:15:26 AM -04:00
    V2: 7.5 HIGH
CVE-2014-5202

Cross-site scripting (XSS) vulnerability in compfight-search.php in the Compfight plugin 1.4 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the search-value parameter.

Published: August 12, 2014; 07:55:04 PM -04:00
    V2: 3.5 LOW
CVE-2014-5201

SQL injection vulnerability in the Gallery Objects plugin 0.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the viewid parameter in a go_view_object action to wp-admin/admin-ajax.php.

Published: August 12, 2014; 04:55:04 PM -04:00
    V2: 7.5 HIGH
CVE-2014-5200

SQL injection vulnerability in game_play.php in the FB Gorilla plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: August 12, 2014; 04:55:04 PM -04:00
    V2: 7.5 HIGH
CVE-2014-5199

Cross-site request forgery (CSRF) vulnerability in the WordPress File Upload plugin (wp-file-upload) before 2.4.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.

Published: August 12, 2014; 04:55:04 PM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5196

Cross-site request forgery (CSRF) vulnerability in improved-user-search-in-backend.php in the backend in the Improved user search in backend plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that insert XSS sequences via the iusib_meta_fields parameter.

Published: August 12, 2014; 04:55:03 PM -04:00
    V2: 4.3 MEDIUM
CVE-2014-5190

Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/index.php in the SI CAPTCHA Anti-Spam plugin 2.7.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

Published: August 07, 2014; 07:13:36 AM -04:00
    V2: 4.3 MEDIUM
CVE-2014-5189

SQL injection vulnerability in lib/optin/optin_page.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: August 07, 2014; 07:13:36 AM -04:00
    V2: 7.5 HIGH