National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,887 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2020-11548

The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.

Published: April 04, 2020; 08:15:11 PM -04:00
(not available)
CVE-2019-17231

includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues.

Published: April 03, 2020; 11:15:14 AM -04:00
(not available)
CVE-2019-17230

includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress allows unauthenticated options changes.

Published: April 03, 2020; 11:15:14 AM -04:00
(not available)
CVE-2020-6009

LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.

Published: April 01, 2020; 06:15:18 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2020-11470

Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user's privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Zoom Client's microphone and camera access.

Published: April 01, 2020; 06:15:17 PM -04:00
V3.1: 3.3 LOW
    V2: 2.1 LOW
CVE-2020-11469

Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to a user-writable temporary directory during installation, which allows a local process (with the user's privileges) to obtain root access by replacing runwithroot.

Published: April 01, 2020; 06:15:17 PM -04:00
V3.1: 7.8 HIGH
    V2: 7.2 HIGH
CVE-2020-7948

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. A user can perform an insecure direct object reference.

Published: April 01, 2020; 09:15:15 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2020-7947

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.

Published: April 01, 2020; 09:15:15 AM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2020-6753

The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than CVE-2020-5392.

Published: April 01, 2020; 09:15:15 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-5392

A stored cross-site scripting (XSS) vulnerability exists in the Auth0 plugin before 4.0.0 for WordPress via the settings page.

Published: April 01, 2020; 09:15:15 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-5391

Cross-site request forgery (CSRF) vulnerabilities exist in the Auth0 plugin before 4.0.0 for WordPress via the domain field.

Published: April 01, 2020; 09:15:15 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2020-6008

LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution

Published: March 31, 2020; 11:15:22 AM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2020-10817

The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.

Published: March 27, 2020; 03:15:11 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2020-10385

A stored cross-site scripting (XSS) vulnerability exists in the WPForms Contact Form (aka wpforms-lite) plugin before 1.5.9 for WordPress.

Published: March 24, 2020; 12:15:12 PM -04:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2020-9392

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. Because there is no permission check on the ImportJSONTable, createFromTpl, and getJSONExportTable endpoints, unauthenticated users can retrieve pricing table information, create new tables, or import/modify a table.

Published: March 23, 2020; 01:15:15 PM -04:00
V3.1: 7.3 HIGH
    V2: 7.5 HIGH
CVE-2019-13463

An XSS vulnerability in qcopd-shortcode-generator.php in the Simple Link Directory plugin before 7.3.5 for WordPress allows remote attackers to inject arbitrary web script or HTML, because esc_html is not called for the "echo get_the_title()" or "echo $term->name" statement.

Published: March 20, 2020; 05:15:15 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-12498

The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism.

Published: March 20, 2020; 03:15:12 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2018-18576

The Hustle (aka wordpress-popup) plugin through 6.0.5 for WordPress allows Directory Traversal to obtain a directory listing via the views/admin/dashboard/ URI.

Published: March 17, 2020; 11:15:12 AM -04:00
V3.1: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2017-12842

Bitcoin Core before 0.14 allows an attacker to create an ostensibly valid SPV proof for a payment to a victim who uses an SPV wallet, even if that payment did not actually occur. Completing the attack would cost more than a million dollars, and is relevant mainly only in situations where an autonomous system relies solely on an SPV proof for transactions of a greater dollar amount.

Published: March 16, 2020; 04:15:12 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2020-7916

be_teacher in class-lp-admin-ajax.php in the LearnPress plugin 3.2.6.5 and earlier for WordPress allows any registered user to assign itself the teacher role via the wp-admin/admin-ajax.php?action=learnpress_be_teacher URI without any additional permission checks. Therefore, any user can change its role to an instructor/teacher and gain access to otherwise restricted data.

Published: March 16, 2020; 02:15:13 PM -04:00
V3.1: 6.5 MEDIUM
    V2: 4.0 MEDIUM