National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,708 matching records.
Displaying matches 1921 through 1940.
Vuln ID Summary CVSS Severity
CVE-2014-5240

Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.

Published: August 18, 2014; 07:15:27 AM -04:00
    V2: 2.1 LOW
CVE-2014-5205

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Published: August 18, 2014; 07:15:26 AM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5204

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Published: August 18, 2014; 07:15:26 AM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5203

wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.

Published: August 18, 2014; 07:15:26 AM -04:00
    V2: 7.5 HIGH
CVE-2014-5202

Cross-site scripting (XSS) vulnerability in compfight-search.php in the Compfight plugin 1.4 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the search-value parameter.

Published: August 12, 2014; 07:55:04 PM -04:00
    V2: 3.5 LOW
CVE-2014-5201

SQL injection vulnerability in the Gallery Objects plugin 0.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the viewid parameter in a go_view_object action to wp-admin/admin-ajax.php.

Published: August 12, 2014; 04:55:04 PM -04:00
    V2: 7.5 HIGH
CVE-2014-5200

SQL injection vulnerability in game_play.php in the FB Gorilla plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: August 12, 2014; 04:55:04 PM -04:00
    V2: 7.5 HIGH
CVE-2014-5199

Cross-site request forgery (CSRF) vulnerability in the WordPress File Upload plugin (wp-file-upload) before 2.4.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.

Published: August 12, 2014; 04:55:04 PM -04:00
    V2: 6.8 MEDIUM
CVE-2014-5196

Cross-site request forgery (CSRF) vulnerability in improved-user-search-in-backend.php in the backend in the Improved user search in backend plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that insert XSS sequences via the iusib_meta_fields parameter.

Published: August 12, 2014; 04:55:03 PM -04:00
    V2: 4.3 MEDIUM
CVE-2014-5190

Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/index.php in the SI CAPTCHA Anti-Spam plugin 2.7.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

Published: August 07, 2014; 07:13:36 AM -04:00
    V2: 4.3 MEDIUM
CVE-2014-5189

SQL injection vulnerability in lib/optin/optin_page.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: August 07, 2014; 07:13:36 AM -04:00
    V2: 7.5 HIGH
CVE-2014-5187

Directory traversal vulnerability in the Tom M8te (tom-m8te) plugin 1.5.3 for WordPress allows remote attackers to read arbitrary files via the file parameter to tom-download-file.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 5.0 MEDIUM
CVE-2014-5186

SQL injection vulnerability in the All Video Gallery (all-video-gallery) plugin 1.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit action in the allvideogallery_videos page to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2014-5185

SQL injection vulnerability in the Quartz plugin 1.01.1 for WordPress allows remote authenticated users with Contributor privileges to execute arbitrary SQL commands via the quote parameter in an edit action in the quartz/quote_form.php page to wp-admin/edit.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.0 MEDIUM
CVE-2014-5184

SQL injection vulnerability in the stripshow-storylines page in the stripShow plugin 2.5.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the story parameter in an edit action to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2014-5183

SQL injection vulnerability in includes/mode-edit.php in the Simple Retail Menus (simple-retail-menus) plugin before 4.1 for WordPress allows remote authenticated editors to execute arbitrary SQL commands via the targetmenu parameter in an edit action to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2014-5182

Multiple SQL injection vulnerabilities in the yawpp plugin 1.2 for WordPress allow remote authenticated users with Contributor privileges to execute arbitrary SQL commands via vectors related to (1) admin_functions.php or (2) admin_update.php, as demonstrated by the id parameter in the update action to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.0 MEDIUM
CVE-2014-5181

Directory traversal vulnerability in lastfm-proxy.php in the Last.fm Rotation (lastfm-rotation) plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the snode parameter.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 5.0 MEDIUM
CVE-2014-5180

SQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php.

Published: August 06, 2014; 03:55:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2012-6653

Unspecified vulnerability in the All Video Gallery (all-video-gallery) plugin before 1.2.0 for WordPress has unspecified impact and attack vectors.

Published: August 06, 2014; 03:55:02 PM -04:00
    V2: 7.5 HIGH