Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): WordPress
  • Search Type: Search All
There are 3,028 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2020-28650

The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles.

Published: November 15, 2020; 11:15:12 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2020-28649

The orbisius-child-theme-creator plugin before 1.5.2 for WordPress allows CSRF via orbisius_ctc_theme_editor_manage_file.

Published: November 15, 2020; 11:15:12 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2020-27481

An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the usage of "wp_ajax_nopriv" call in WordPress, which allows any unauthenticated user to get access to the function "gdlr_lms_cancel_booking" where POST Parameter "id" was sent straight into SQL query without sanitization.

Published: November 12, 2020; 9:15:23 AM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-24063

The Canto plugin 1.3.0 for WordPress allows includes/lib/download.php?subdomain= SSRF.

Published: November 10, 2020; 4:15:13 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2020-28339

The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. There is not a complete POP chain.

Published: November 07, 2020; 2:15:12 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2020-22277

Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile.

Published: November 04, 2020; 12:15:13 PM -0500
V3.1: 8.0 HIGH
V2.0: 6.0 MEDIUM
CVE-2020-22276

WeForms Wordpress Plugin 1.4.7 allows CSV injection via a form's entry.

Published: November 04, 2020; 12:15:12 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-22275

Easy Registration Forms (ER Forms) Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are executable.

Published: November 04, 2020; 12:15:12 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-28040

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

Published: November 02, 2020; 4:15:31 PM -0500
V3.1: 4.3 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-28039

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

Published: November 02, 2020; 4:15:31 PM -0500
V3.1: 9.1 CRITICAL
V2.0: 6.4 MEDIUM
CVE-2020-28038

WordPress before 5.5.2 allows stored XSS via post slugs.

Published: November 02, 2020; 4:15:31 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-28037

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).

Published: November 02, 2020; 4:15:30 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-28036

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

Published: November 02, 2020; 4:15:30 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-28035

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

Published: November 02, 2020; 4:15:30 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-28034

WordPress before 5.5.2 allows XSS associated with global variables.

Published: November 02, 2020; 4:15:30 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-28033

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

Published: November 02, 2020; 4:15:30 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-28032

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

Published: November 02, 2020; 4:15:30 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-16140

The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS.

Published: October 27, 2020; 6:15:12 PM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-27615

The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip.

Published: October 21, 2020; 5:15:13 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-27344

The cm-download-manager plugin before 2.8.0 for WordPress allows XSS.

Published: October 21, 2020; 4:15:13 PM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM