National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,619 matching records.
Displaying matches 1741 through 1760.
Vuln ID Summary CVSS Severity
CVE-2014-8724

Cross-site scripting (XSS) vulnerability in the W3 Total Cache plugin before 0.9.4.1 for WordPress, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via the "Cache key" in the HTML-Comments, as demonstrated by the PATH_INFO to the default URI.

Published: December 19, 2014; 10:59:11 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-9305

SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_products_table action to wp-admin/admin-ajax.php.

Published: December 08, 2014; 11:59:14 AM -05:00
    V2: 6.5 MEDIUM
CVE-2014-9292

Server-side request forgery (SSRF) vulnerability in proxy.php in the jRSS Widget plugin 1.2 and earlier for WordPress allows remote attackers to trigger outbound requests and enumerate open ports via the url parameter.

Published: December 05, 2014; 05:59:00 PM -05:00
    V2: 5.8 MEDIUM
CVE-2014-8877

The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function.

Published: December 05, 2014; 01:59:00 PM -05:00
    V2: 10.0 HIGH
CVE-2014-9129

Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php.

Published: December 05, 2014; 10:59:04 AM -05:00
    V2: 6.8 MEDIUM
CVE-2014-8800

Cross-site scripting (XSS) vulnerability in nextend-facebook-settings.php in the Nextend Facebook Connect plugin before 1.5.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fb_login_button parameter in a newfb_update_options action.

Published: December 05, 2014; 10:59:02 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-9179

Cross-site scripting (XSS) vulnerability in the SupportEzzy Ticket System plugin 1.2.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the "URL (optional)" field in a new ticket.

Published: December 02, 2014; 11:59:16 AM -05:00
    V2: 4.0 MEDIUM
CVE-2014-9178

Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function.

Published: December 02, 2014; 11:59:15 AM -05:00
    V2: 7.5 HIGH
CVE-2014-9177

The HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPress allows remote attackers to obtain the installation path via a request to html5plus/playlist.php.

Published: December 02, 2014; 11:59:14 AM -05:00
    V2: 5.0 MEDIUM
CVE-2014-9176

Cross-site scripting (XSS) vulnerability in the InstaSqueeze Sexy Squeeze Pages plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter to lp/index.php.

Published: December 02, 2014; 11:59:13 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-9175

SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.

Published: December 02, 2014; 11:59:12 AM -05:00
    V2: 7.5 HIGH
CVE-2014-9174

Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Manually enter your UA code" (manual_ua_code_field) field in the General Settings.

Published: December 02, 2014; 11:59:10 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-9173

SQL injection vulnerability in view.php in the Google Doc Embedder plugin before 2.5.15 for WordPress allows remote attackers to execute arbitrary SQL commands via the gpid parameter.

Published: December 02, 2014; 11:59:09 AM -05:00
    V2: 7.5 HIGH
CVE-2014-8754

Open redirect vulnerability in track-click.php in the Ad-Manager plugin 1.1.2 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the out parameter.

Published: December 02, 2014; 11:59:01 AM -05:00
    V2: 5.8 MEDIUM
CVE-2014-8749

Server-side request forgery (SSRF) vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote attackers to trigger outbound requests that authenticate to arbitrary databases via the dbhost parameter.

Published: December 01, 2014; 10:59:07 AM -05:00
    V2: 5.0 MEDIUM
CVE-2014-8801

Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php.

Published: November 28, 2014; 10:59:09 AM -05:00
    V2: 5.0 MEDIUM
CVE-2014-8799

Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.

Published: November 28, 2014; 10:59:07 AM -05:00
    V2: 5.0 MEDIUM
CVE-2014-9100

Cross-site scripting (XSS) vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the idcode parameter in the whydowork_adsense page to wp-admin/options-general.php.

Published: November 26, 2014; 10:59:16 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-9099

Cross-site request forgery (CSRF) vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the whydowork_adsense page in wp-admin/options-general.php.

Published: November 26, 2014; 10:59:15 AM -05:00
    V2: 6.8 MEDIUM
CVE-2014-9098

Multiple cross-site scripting (XSS) vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly before 2014-07-23, for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the videoadssearchQuery parameter to (1) videoads/videoads.php, (2) video/video.php, or (3) playlist/playlist.php.

Published: November 26, 2014; 10:59:14 AM -05:00
    V2: 3.5 LOW