National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 1,882 matching records.
Displaying matches 221 through 240.
Vuln ID Summary CVSS Severity
CVE-2018-17074

The Feed Statistics plugin before 4.0 for WordPress has an Open Redirect via the feed-stats-url parameter.

Published: September 15, 2018; 10:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 5.8 MEDIUM
CVE-2018-16763

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

Published: September 09, 2018; 05:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-16363

The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php.

Published: September 07, 2018; 06:29:01 PM -04:00
V3: 5.4 MEDIUM
V2: 3.5 LOW
CVE-2018-0642

Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: September 07, 2018; 10:29:00 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-16285

The UserPro plugin through 4.9.23 for WordPress allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.

Published: September 06, 2018; 07:29:01 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-1000773

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

Published: September 06, 2018; 12:29:05 PM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2017-1000600

WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9

Published: September 06, 2018; 08:29:00 AM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2018-16308

The Ninja Forms plugin before 3.3.14.1 for WordPress allows CSV injection.

Published: September 01, 2018; 02:29:00 PM -04:00
V3: 8.6 HIGH
V2: 6.8 MEDIUM
CVE-2018-16159

The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request.

Published: August 30, 2018; 11:29:00 AM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-15907

** DISPUTED ** Technicolor (formerly RCA) TC8305C devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. NOTE: this might overlap CVE-2018-15852 and CVE-2018-16310. NOTE: Technicolor denies that the described behavior is a vulnerability and states that Wi-Fi traffic is slowed or stopped only while the devices are exposed to a MAC flooding attack. This has been confirmed through testing against official up-to-date versions.

Published: August 29, 2018; 03:29:00 PM -04:00
V3: 6.5 MEDIUM
V2: 6.1 MEDIUM
CVE-2018-15839

D-Link DIR-615 devices have a buffer overflow via a long Authorization HTTP header.

Published: August 28, 2018; 01:29:01 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-15571

The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection.

Published: August 28, 2018; 01:29:01 PM -04:00
V3: 8.6 HIGH
V2: 6.8 MEDIUM
CVE-2014-4932

Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val parameter to whois.php.

Published: August 28, 2018; 01:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-15877

The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

Published: August 26, 2018; 03:29:00 AM -04:00
V3: 8.8 HIGH
V2: 9.0 HIGH
CVE-2018-15876

An issue was discovered in the ajax-bootmodal-login plugin 1.4.3 for WordPress. The register form, login form, and password-recovery form require solving a CAPTCHA to perform actions. However, this is required only once per user session, and therefore one could send as many requests as one wished by automation.

Published: August 26, 2018; 03:29:00 AM -04:00
V3: 5.3 MEDIUM
V2: 5.0 MEDIUM
CVE-2018-15852

** DISPUTED ** Technicolor TC7200.20 devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. NOTE: Technicolor denies that the described behavior is a vulnerability and states that Wi-Fi traffic is slowed or stopped only while the devices are exposed to a MAC flooding attack. This has been confirmed through testing against official up-to-date versions.

Published: August 25, 2018; 05:29:01 PM -04:00
V3: 6.5 MEDIUM
V2: 6.1 MEDIUM
CVE-2018-15172

TP-Link WR840N devices have a buffer overflow via a long Authorization HTTP header.

Published: August 15, 2018; 01:29:02 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-14028

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Published: August 10, 2018; 12:29:00 PM -04:00
V3: 7.2 HIGH
V2: 6.5 MEDIUM
CVE-2018-14430

The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows XSS via the fw_data [id][1], fw_data [id][2], fw_data [id][3], fw_data [id][4], or email field of the contact form, exploitable with an fw_send_email action to wp-admin/admin-ajax.php.

Published: July 25, 2018; 07:29:00 PM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-14336

TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.

Published: July 19, 2018; 04:29:00 PM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM