National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,851 matching records.
Displaying matches 61 through 80.
Vuln ID Summary CVSS Severity
CVE-2020-7107

The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/DisplayFAQs.php.

Published: January 16, 2020; 12:15:11 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-5484

Cross-site scripting (XSS) vulnerability in the Plotly plugin before 1.0.3 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via a post.

Published: January 15, 2020; 11:15:12 AM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2019-20212

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20211

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20210

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20209

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing.

Published: January 13, 2020; 01:15:13 PM -05:00
V3.1: 7.5 HIGH
    V2: 6.4 MEDIUM
CVE-2020-6859

Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image.

Published: January 13, 2020; 12:15:11 PM -05:00
V3.1: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2014-6059

WordPress Advanced Access Manager Plugin before 2.8.2 has an Arbitrary File Overwrite Vulnerability

Published: January 13, 2020; 08:15:12 AM -05:00
V3.1: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2014-4561

The ultimate-weather plugin 1.0 for WordPress has XSS

Published: January 10, 2020; 09:15:10 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2011-4595

Pretty-Link WordPress plugin 1.5.2 has XSS

Published: January 10, 2020; 09:15:09 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2014-4530

flog plugin 0.1 for WordPress has XSS

Published: January 10, 2020; 08:15:12 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20182

The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter.

Published: January 09, 2020; 05:15:13 PM -05:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2019-20181

The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter.

Published: January 09, 2020; 05:15:13 PM -05:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2019-20180

The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users.

Published: January 09, 2020; 04:15:11 PM -05:00
V3.1: 6.8 MEDIUM
    V2: 6.0 MEDIUM
CVE-2020-6168

A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows authenticated users with basic access to enable and disable maintenance-mode settings (impacting the availability and confidentiality of a vulnerable site, along with the integrity of the setting).

Published: January 09, 2020; 03:15:11 PM -05:00
V3.1: 7.6 HIGH
    V2: 6.5 MEDIUM
CVE-2020-6166

A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes.

Published: January 09, 2020; 03:15:11 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 5.5 MEDIUM
CVE-2020-6167

A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include remote files as a logo.

Published: January 09, 2020; 02:15:10 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-16788

In WordPress versions from 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

Published: January 08, 2020; 10:15:13 PM -05:00
V3.1: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2019-16773

In WordPress versions from 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

Published: January 08, 2020; 09:15:13 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2019-20361

There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

Published: January 08, 2020; 01:15:12 AM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH