National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,887 matching records.
Displaying matches 1661 through 1680.
Vuln ID Summary CVSS Severity
CVE-2017-6554

pmmasterd in Quest Privilege Manager before 6.0.0.061, when configured as a policy server, allows remote attackers to write to arbitrary files and consequently execute arbitrary code with root privileges via an ACT_NEWFILESENT action.

Published: April 14, 2017; 02:59:00 PM -04:00
V3.0: 7.2 HIGH
    V2: 9.0 HIGH
CVE-2017-7719

SQL injection in the Spider Event Calendar (aka spider-event-calendar) plugin before 1.5.52 for WordPress is exploitable with the order_by parameter to calendar_functions.php or widget_Theme_functions.php, related to front_end/frontend_functions.php.

Published: April 12, 2017; 11:59:00 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2017-1001000

The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.

Published: April 02, 2017; 09:59:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2017-6895

USB Pratirodh allows remote attackers to conduct XML External Entity (XXE) attacks via XML data in usb.xml.

Published: March 23, 2017; 04:59:00 PM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2017-5207

Firejail before 0.9.44.4, when running a bandwidth command, allows local users to gain root privileges via the --shell argument.

Published: March 23, 2017; 12:59:00 PM -04:00
V3.0: 7.8 HIGH
    V2: 7.2 HIGH
CVE-2017-5206

Firejail before 0.9.44.4, when running on a Linux kernel before 4.8, allows context-dependent attackers to bypass a seccomp-based sandbox protection mechanism via the --allow-debuggers argument.

Published: March 23, 2017; 12:59:00 PM -04:00
V3.0: 9.0 CRITICAL
    V2: 6.8 MEDIUM
CVE-2017-6955

An issue was discovered in by-email/by-email.php in the Invite Anyone plugin before 1.3.15 for WordPress. A user is able to change the subject and the body of the invitation mail that should be immutable, which facilitates a social engineering attack.

Published: March 17, 2017; 05:59:00 AM -04:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2017-6954

An issue was discovered in includes/component.php in the BuddyPress Docs plugin before 1.9.3 for WordPress. It is possible for authenticated users to edit documents of other users without proper permissions.

Published: March 17, 2017; 05:59:00 AM -04:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2016-0770

Cross-site scripting (XSS) vulnerability in includes/admin/pages/manage.php in the Connections Business Directory plugin before 8.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s variable.

Published: March 16, 2017; 11:59:00 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-6180

Keekoon KK002 devices 1.8.12 HD have a Cross Site Request Forgery Vulnerability affecting goform/formChnUserPwd and goform/formUserMng (and the entire set of other pages).

Published: March 13, 2017; 02:59:00 AM -04:00
V3.0: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2017-6819

In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.

Published: March 11, 2017; 08:59:00 PM -05:00
V3.0: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-6818

In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.

Published: March 11, 2017; 08:59:00 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-6817

In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.

Published: March 11, 2017; 08:59:00 PM -05:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2017-6816

In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.

Published: March 11, 2017; 08:59:00 PM -05:00
V3.0: 4.9 MEDIUM
    V2: 5.5 MEDIUM
CVE-2017-6815

In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.

Published: March 11, 2017; 08:59:00 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 5.8 MEDIUM
CVE-2017-6814

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.

Published: March 11, 2017; 08:59:00 PM -05:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2017-6578

A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/subscriber_list.php with the POST Parameter: subscriber_email.

Published: March 09, 2017; 04:59:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2017-6577

A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/subscriber_list.php with the POST Parameter: list_id.

Published: March 09, 2017; 04:59:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2017-6576

A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/campaign/campaign-delete.php with the GET Parameter: id.

Published: March 09, 2017; 04:59:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2017-6575

A SQL injection issue is exploitable, with WordPress admin access, in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects ./inc/lists/edit_member.php with the GET Parameter: member_id.

Published: March 09, 2017; 04:59:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM