National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,852 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-19134

The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based tokens or to launch other attacks.

Published: February 26, 2020; 10:15:11 AM -05:00
(not available)
CVE-2020-9394

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows CSRF.

Published: February 25, 2020; 02:15:12 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2020-9393

An issue was discovered in the pricing-table-by-supsystic plugin before 1.8.2 for WordPress. It allows XSS.

Published: February 25, 2020; 02:15:12 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-9019

The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via the Add Job form, as demonstrated by title and Description.

Published: February 25, 2020; 01:15:11 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-9335

Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other users.

Published: February 25, 2020; 12:15:13 PM -05:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2020-9334

A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.

Published: February 25, 2020; 12:15:13 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2020-8819

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass the payment process (e.g., spoof an order status by manually sending an IPN callback request with a valid signature but without real payment) and/or receive all of the subsequent payments.

Published: February 24, 2020; 09:15:12 PM -05:00
(not available)
CVE-2019-17229

includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues.

Published: February 24, 2020; 02:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-17228

includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress allows unauthenticated options changes.

Published: February 24, 2020; 02:15:13 PM -05:00
V3.1: 6.5 MEDIUM
    V2: 6.4 MEDIUM
CVE-2020-9003

A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.

Published: February 20, 2020; 05:15:12 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2014-4019

ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores sensitive information under the web root with insufficient access control, which allows remote attackers to read backup files via a direct request for rom-0.

Published: February 20, 2020; 01:15:11 PM -05:00
(not available)
CVE-2013-4454

WordPress Portable phpMyAdmin Plugin 1.4.1 has Multiple Security Bypass Vulnerabilities

Published: February 18, 2020; 09:15:12 AM -05:00
V3.1: 9.1 CRITICAL
    V2: 6.4 MEDIUM
CVE-2020-5530

Cross-site request forgery (CSRF) vulnerability in Easy Property Listings versions prior to 3.4 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Published: February 18, 2020; 01:15:10 AM -05:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2020-9043

The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key.

Published: February 17, 2020; 12:15:15 PM -05:00
V3.1: 8.8 HIGH
    V2: 9.0 HIGH
CVE-2020-6850

Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4.8.84 for WordPress allows XSS via a crafted SAML XML Response to wp-login.php. This is related to the SAMLResponse and RelayState variables, and the Destination parameter of the samlp:Response XML element.

Published: February 17, 2020; 11:15:28 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-9006

The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account, leading to possible Remote Code Execution because Administrators can run PHP code on Wordpress instances. (This issue has been fixed in the 3.x branch of popup-builder.)

Published: February 17, 2020; 10:15:12 AM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2020-8594

The Ninja Forms plugin 3.4.22 for WordPress has Multiple Stored XSS vulnerabilities via ninja_forms[recaptcha_site_key], ninja_forms[recaptcha_secret_key], ninja_forms[recaptcha_lang], or ninja_forms[date_format].

Published: February 14, 2020; 03:15:09 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2013-1401

Multiple security bypass vulnerabilities in the editAnswer, deleteAnswer, addAnswer, and deletePoll functions in WordPress Poll Plugin 34.5 for WordPress allow a remote attacker to add, edit, and delete an answer and delete a poll.

Published: February 13, 2020; 04:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2013-1400

Multiple SQL injection vulnerabilities in CWPPoll.js in WordPress Poll Plugin 34.5 for WordPress allow attackers to execute arbitrary SQL commands via the pollid or poll_id parameter in a viewPollResults or userlogs action.

Published: February 13, 2020; 04:15:11 PM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2013-2010

WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability

Published: February 12, 2020; 10:15:11 AM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH