National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 1,889 matching records.
Displaying matches 101 through 120.
Vuln ID Summary CVSS Severity
CVE-2019-9605

PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting (XSS) via the err value in a .ico picture upload.

Published: March 29, 2019; 10:29:00 AM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2019-9604

PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Cross-Site Request Forgery (CSRF) for Edit Profile actions.

Published: March 29, 2019; 10:29:00 AM -04:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2019-9864

PHP Scripts Mall Amazon Affiliate Store 2.1.6 allows Parameter Tampering of the payment amount.

Published: March 28, 2019; 11:29:00 AM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-1010257

An Information Disclosure / Data Modification issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. A URL can be constructed which allows overriding the PDF file's path leading to any PDF whose path is known and which is readable to the web server can be downloaded. The file will be deleted after download if the web server has permission to do so. For PHP versions before 5.3, any file can be read by null terminating the string left of the file extension.

Published: March 27, 2019; 03:30:11 PM -04:00
V3: 9.1 CRITICAL
V2: 7.5 HIGH
CVE-2019-1000031

A disk space or quota exhaustion issue exists in article2pdf_getfile.php in the article2pdf Wordpress plugin 0.24, 0.25, 0.26, 0.27. Visiting PDF generation link but not following the redirect will leave behind a PDF file on disk which will never be deleted by the plug-in.

Published: March 27, 2019; 02:29:00 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2019-9978

The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.

Published: March 24, 2019; 11:29:00 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9914

The yop-poll plugin before 6.0.3 for WordPress has wp-admin/admin.php?page=yop-polls&action=view-votes poll_id XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9913

The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9912

The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATH_INFO.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9911

The social-networks-auto-poster-facebook-twitter-g plugin before 4.2.8 for WordPress has wp-admin/admin.php?page=nxssnap-reposter&action=edit item XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9910

The kingcomposer plugin 2.7.6 for WordPress has wp-admin/admin.php?page=kc-mapper id XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9909

The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-9908

The font-organizer plugin 2.1.1 for WordPress has wp-admin/options-general.php manage_font_id XSS.

Published: March 21, 2019; 08:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-7441

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price.

Published: March 21, 2019; 12:01:13 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2019-7299

A stored cross-site scripting (XSS) vulnerability in the submit_ticket.php module in the WP Support Plus Responsive Ticket System plugin 9.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the subject parameter in wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/ajax/submit_ticket.php.

Published: March 21, 2019; 12:01:11 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-20556

SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.

Published: March 21, 2019; 12:00:36 PM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2018-20555

The Design Chemical Social Network Tabs plugin 1.7.1 for WordPress allows remote attackers to discover Twitter access_token, access_token_secret, consumer_key, and consumer_secret values by reading the dcwp_twitter.php source code. This leads to Twitter account takeover.

Published: March 21, 2019; 12:00:36 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-19488

The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_reset_pass() function through the admin-ajax.php file, which allows remote unauthenticated attackers to reset the password of a user's account.

Published: March 21, 2019; 12:00:31 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-19487

The WP-jobhunt plugin before version 2.4 for WordPress does not control AJAX requests sent to the cs_employer_ajax_profile() function through the admin-ajax.php file, which allows remote unauthenticated attackers to enumerate information about users.

Published: March 21, 2019; 12:00:31 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-15818

An issue was discovered in Repute ARForms 3.5.1 and prior. An attacker is able to delete any file on the server with web server privileges by sending a malicious request to admin-ajax.php.

Published: March 21, 2019; 12:00:21 PM -04:00
V3: 7.5 HIGH
V2: 6.4 MEDIUM