National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,938 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2020-13865

The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.

Published: June 05, 2020; 06:15:12 PM -04:00
(not available)
CVE-2020-13864

The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.

Published: June 05, 2020; 06:15:12 PM -04:00
(not available)
CVE-2020-13764

common.php in the Gravity Forms plugin before 2.4.9 for WordPress can leak hashed passwords because user_pass is not considered a special case for a $current_user->get($property) call.

Published: June 02, 2020; 05:15:10 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-11843

The MailPoet plugin before 3.23.2 for WordPress allows remote attackers to inject arbitrary web script or HTML using extra parameters in the URL (Reflective Server-Side XSS).

Published: June 02, 2020; 01:15:11 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-8816

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

Published: May 29, 2020; 03:15:10 PM -04:00
V3.1: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2020-12675

The mappress-google-maps-for-wordpress plugin before 2.54.6 for WordPress does not correctly implement capability checks for AJAX functions related to creation/retrieval/deletion of PHP template files, leading to Remote Code Execution. NOTE: this issue exists because of an incomplete fix for CVE-2020-12077.

Published: May 29, 2020; 12:15:10 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2020-13693

An unauthenticated privilege-escalation issue exists in the bbPress plugin before 2.6.5 for WordPress when New User Registration is enabled.

Published: May 28, 2020; 08:15:10 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2020-13644

An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion.

Published: May 28, 2020; 12:15:13 AM -04:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2020-13643

An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.

Published: May 28, 2020; 12:15:13 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2020-13642

An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.

Published: May 28, 2020; 12:15:12 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2020-13641

An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript, allowing for that be executed later in the victims browser.

Published: May 28, 2020; 12:15:12 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2020-13487

The bbPress plugin through 2.6.4 for WordPress has stored XSS in the Forum creation section, resulting in JavaScript execution at wp-admin/edit.php?post_type=forum (aka the Forum listing page) for all users. An administrator can exploit this at the wp-admin/post.php?action=edit URI.

Published: May 26, 2020; 10:15:13 AM -04:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2020-13152

A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually allows attackers to cause a denial of service.

Published: May 20, 2020; 09:15:09 AM -04:00
V3.1: 5.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-13126

An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected.

Published: May 16, 2020; 09:15:11 PM -04:00
V3.1: 9.9 CRITICAL
    V2: 6.5 MEDIUM
CVE-2020-13125

An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.

Published: May 16, 2020; 09:15:11 PM -04:00
V3.1: 6.5 MEDIUM
    V2: 6.4 MEDIUM
CVE-2020-12832

WordPress Plugin Simple File List before 4.2.8 is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.

Published: May 13, 2020; 02:15:12 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2020-12742

The iubenda-cookie-law-solution plugin before 2.3.5 for WordPress does not restrict URL sanitization to http protocols.

Published: May 13, 2020; 09:15:14 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-11530

A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerability is introduced in the id GET parameter supplied to get_script/index.php, and allows an attacker to execute arbitrary SQL queries in the context of the WP database user.

Published: May 08, 2020; 04:15:12 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2020-12696

The iframe plugin before 4.5 for WordPress does not sanitize a URL.

Published: May 07, 2020; 01:15:12 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-11727

A cross-site scripting (XSS) vulnerability in the AlgolPlus Advanced Order Export For WooCommerce plugin 3.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the view/settings-form.php woe_post_type parameter.

Published: May 06, 2020; 02:15:11 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM