National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 1,873 matching records.
Displaying matches 141 through 160.
Vuln ID Summary CVSS Severity
CVE-2019-6267

The Premium WP Suite Easy Redirect Manager plugin 28.07-17 for WordPress has XSS via a crafted GET request that is mishandled during log viewing at the templates/admin/redirect-log.php URI.

Published: January 14, 2019; 07:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2019-6248

PHP Scripts Mall Citysearch / Hotfrog / Gelbeseiten Clone Script 2.0.1 has Reflected XSS via the srch parameter, as demonstrated by restaurants-details.php.

Published: January 12, 2019; 07:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-16206

Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: January 12, 2019; 07:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-16204

Cross-site scripting vulnerability in Google XML Sitemaps Version 4.0.9 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: January 09, 2019; 06:29:05 PM -05:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2018-16175

SQL injection vulnerability in the LearnPress prior to version 3.1.0 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.

Published: January 09, 2019; 06:29:03 PM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2018-16174

Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Published: January 09, 2019; 06:29:03 PM -05:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2018-16173

Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: January 09, 2019; 06:29:03 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-16164

Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: January 09, 2019; 06:29:03 PM -05:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2016-10736

The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter.

Published: January 09, 2019; 06:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-20530

PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile field such as Company Address, a related issue to CVE-2018-15896.

Published: December 28, 2018; 11:29:04 AM -05:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2018-20528

JEECMS 9 has SSRF via the ueditor/getRemoteImage.jspx upfile parameter.

Published: December 28, 2018; 11:29:04 AM -05:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-20463

An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF.

Published: December 25, 2018; 04:29:00 PM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-20462

An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter.

Published: December 25, 2018; 04:29:00 PM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-20368

The Master Slider plugin 3.2.7 and 3.5.1 for WordPress has XSS via the wp-admin/admin-ajax.php Name input field of the MSPanel.Settings value on Callback.

Published: December 22, 2018; 09:29:00 PM -05:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2018-14846

The Mondula Multi Step Form plugin before 1.2.8 for WordPress has multiple stored XSS via wp-admin/admin-ajax.php.

Published: December 20, 2018; 06:29:00 PM -05:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2018-1000812

Ártica Soluciones Tecnológicas Integria IMS version 5.0 MR56 Package 58, likely earlier versions contains a CWE-640: Weak Password Recovery Mechanism for Forgotten Password vulnerability in Password recovery process, line 45 of general/password_recovery.php that can result in IntegriaIMS web app user accounts can be taken over. This attack appear to be exploitable via Network access to IntegriaIMS web interface . This vulnerability appears to have been fixed in fixed in versions released after commit f2ff0ba821644acecb893483c86a9c4d3bb75047.

Published: December 20, 2018; 10:29:00 AM -05:00
V3: 8.1 HIGH
V2: 4.3 MEDIUM
CVE-2018-20231

Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.

Published: December 19, 2018; 06:29:02 AM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-20156

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated "site administrator" users to execute arbitrary PHP code throughout a multisite network.

Published: December 14, 2018; 05:29:00 PM -05:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2018-20155

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.

Published: December 14, 2018; 05:29:00 PM -05:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM
CVE-2018-20154

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.

Published: December 14, 2018; 05:29:00 PM -05:00
V3: 4.3 MEDIUM
V2: 4.0 MEDIUM