National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,641 matching records.
Displaying matches 1861 through 1880.
Vuln ID Summary CVSS Severity
CVE-2014-5199

Cross-site request forgery (CSRF) vulnerability in the WordPress File Upload plugin (wp-file-upload) before 2.4.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.

Published: August 12, 2014; 04:55:04 PM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5196

Cross-site request forgery (CSRF) vulnerability in improved-user-search-in-backend.php in the backend in the Improved user search in backend plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that insert XSS sequences via the iusib_meta_fields parameter.

Published: August 12, 2014; 04:55:03 PM -04:00
    V2: 4.3 MEDIUM
CVE-2014-5190

Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/index.php in the SI CAPTCHA Anti-Spam plugin 2.7.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

Published: August 07, 2014; 07:13:36 AM -04:00
    V2: 4.3 MEDIUM
CVE-2014-5189

SQL injection vulnerability in lib/optin/optin_page.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: August 07, 2014; 07:13:36 AM -04:00
    V2: 7.5 HIGH
CVE-2014-5187

Directory traversal vulnerability in the Tom M8te (tom-m8te) plugin 1.5.3 for WordPress allows remote attackers to read arbitrary files via the file parameter to tom-download-file.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 5.0 MEDIUM
CVE-2014-5186

SQL injection vulnerability in the All Video Gallery (all-video-gallery) plugin 1.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit action in the allvideogallery_videos page to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2014-5185

SQL injection vulnerability in the Quartz plugin 1.01.1 for WordPress allows remote authenticated users with Contributor privileges to execute arbitrary SQL commands via the quote parameter in an edit action in the quartz/quote_form.php page to wp-admin/edit.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.0 MEDIUM
CVE-2014-5184

SQL injection vulnerability in the stripshow-storylines page in the stripShow plugin 2.5.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the story parameter in an edit action to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2014-5183

SQL injection vulnerability in includes/mode-edit.php in the Simple Retail Menus (simple-retail-menus) plugin before 4.1 for WordPress allows remote authenticated editors to execute arbitrary SQL commands via the targetmenu parameter in an edit action to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2014-5182

Multiple SQL injection vulnerabilities in the yawpp plugin 1.2 for WordPress allow remote authenticated users with Contributor privileges to execute arbitrary SQL commands via vectors related to (1) admin_functions.php or (2) admin_update.php, as demonstrated by the id parameter in the update action to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.0 MEDIUM
CVE-2014-5181

Directory traversal vulnerability in lastfm-proxy.php in the Last.fm Rotation (lastfm-rotation) plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the snode parameter.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 5.0 MEDIUM
CVE-2014-5180

SQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2012-6653

Unspecified vulnerability in the All Video Gallery (all-video-gallery) plugin before 1.2.0 for WordPress has unspecified impact and attack vectors.

Published: August 06, 2014; 03:55:02 PM -04:00
    V2: 7.5 HIGH
CVE-2012-6651

Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

Published: July 31, 2014; 10:55:02 AM -04:00
    V2: 5.0 MEDIUM
CVE-2014-3544

Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.

Published: July 29, 2014; 07:10:32 AM -04:00
    V2: 3.5 LOW
CVE-2014-4726

Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

Published: July 27, 2014; 02:55:05 PM -04:00
    V2: 7.5 HIGH
CVE-2014-4725

The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

Published: July 27, 2014; 02:55:05 PM -04:00
    V2: 7.5 HIGH
CVE-2014-4154

ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the PPPoE/PPPoA password via a direct request for basic/tc2wanfun.js.

Published: July 16, 2014; 10:19:03 AM -04:00
    V2: 5.0 MEDIUM
CVE-2014-4018

The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which makes it easier for remote attackers to obtain access via unspecified vectors.

Published: July 16, 2014; 10:19:03 AM -04:00
    V2: 7.8 HIGH
CVE-2014-4944

Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in the BSK PDF Manager plugin 1.3.2 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) categoryid or (2) pdfid parameter to wp-admin/admin.php.

Published: July 14, 2014; 10:55:07 AM -04:00
    V2: 6.5 MEDIUM