National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,802 matching records.
Displaying matches 1841 through 1860.
Vuln ID Summary CVSS Severity
CVE-2015-1172

Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory.

Published: February 11, 2015; 02:59:00 PM -05:00
    V2: 7.5 HIGH
CVE-2015-1384

Cross-site scripting (XSS) vulnerability in the Banner Effect Header plugin before 1.2.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the banner_effect_divid parameter in the BannerEffectOptions page to wp-admin/options-general.php.

Published: February 03, 2015; 11:59:14 AM -05:00
    V2: 4.3 MEDIUM
CVE-2015-1393

SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/admin.php.

Published: February 02, 2015; 10:59:07 AM -05:00
    V2: 6.5 MEDIUM
CVE-2015-1385

Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress Podcasting plugin before 6.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cat parameter in a powerpress-editcategoryfeed action in the powerpressadmin_categoryfeeds.php page to wp-admin/admin.php.

Published: February 02, 2015; 10:59:05 AM -05:00
    V2: 4.3 MEDIUM
CVE-2015-1383

Cross-site scripting (XSS) vulnerability in the geo search widget in the Geo Mashup plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search key.

Published: February 02, 2015; 10:59:04 AM -05:00
    V2: 4.3 MEDIUM
CVE-2015-1376

pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

Published: January 28, 2015; 06:59:07 AM -05:00
    V2: 4.0 MEDIUM
CVE-2015-1375

pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

Published: January 28, 2015; 06:59:00 AM -05:00
    V2: 7.5 HIGH
CVE-2015-1366

Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter.

Published: January 27, 2015; 03:04:22 PM -05:00
    V2: 4.3 MEDIUM
CVE-2015-1365

Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.

Published: January 27, 2015; 03:04:21 PM -05:00
    V2: 5.0 MEDIUM
CVE-2014-8802

The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

Published: January 23, 2015; 10:59:00 AM -05:00
    V2: 5.0 MEDIUM
CVE-2015-1204

Cross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fs[resource] parameter in the wp-slim-view-2 page to wp-admin/admin.php.

Published: January 21, 2015; 10:28:39 AM -05:00
    V2: 4.3 MEDIUM
CVE-2015-1055

SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.

Published: January 16, 2015; 10:59:05 AM -05:00
    V2: 7.5 HIGH
CVE-2014-9570

Multiple cross-site scripting (XSS) vulnerabilities in the MyWebsiteAdvisor Simple Security plugin 1.1.5 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) datefilter parameter in the access_log page to wp-admin/users.php or (2) simple_security_ip_blacklist[] parameter in an add_blacklist_ip action in the ip_blacklist page to wp-admin/users.php.

Published: January 15, 2015; 10:59:20 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-9308

Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.

Published: January 15, 2015; 10:59:17 AM -05:00
    V2: 6.5 MEDIUM
CVE-2014-7957

Multiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php.

Published: January 15, 2015; 10:59:04 AM -05:00
    V2: 6.8 MEDIUM
CVE-2014-7956

Cross-site scripting (XSS) vulnerability in the Pods plugin before 2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in an edit action in the pods page to wp-admin/admin.php.

Published: January 15, 2015; 10:59:03 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-100027

Cross-site scripting (XSS) vulnerability in the WP SlimStat plugin before 3.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Published: January 13, 2015; 10:59:28 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-100026

Cross-site scripting (XSS) vulnerability in readme.php in the April's Super Functions Pack plugin before 1.4.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: some of these details are obtained from third party information.

Published: January 13, 2015; 10:59:27 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-100023

Multiple cross-site scripting (XSS) vulnerabilities in question.php in the mTouch Quiz before 3.0.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the quiz parameter to wp-admin/edit.php.

Published: January 13, 2015; 10:59:12 AM -05:00
    V2: 4.3 MEDIUM
CVE-2014-100022

SQL injection vulnerability in question.php in the mTouch Quiz before 3.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the quiz parameter to wp-admin/edit.php.

Published: January 13, 2015; 10:59:11 AM -05:00
    V2: 7.5 HIGH