National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,931 matching records.
Displaying matches 141 through 160.
Vuln ID Summary CVSS Severity
CVE-2020-7047

The WordPress plugin, WP Database Reset through 3.1, contains a flaw that gave any authenticated user, with minimal permissions, the ability (with a simple wp-admin/admin.php?db-reset-tables[]=users request) to escalate their privileges to administrator while dropping all other users from the table.

Published: January 16, 2020; 04:15:12 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2020-7108

The LearnDash LMS plugin before 3.1.2 for WordPress allows XSS via the ld-profile search field.

Published: January 16, 2020; 12:15:12 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2020-7107

The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/DisplayFAQs.php.

Published: January 16, 2020; 12:15:11 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-5484

Cross-site scripting (XSS) vulnerability in the Plotly plugin before 1.0.3 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via a post.

Published: January 15, 2020; 11:15:12 AM -05:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2019-20212

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via the chat widget/page message form.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20211

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20210

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Reflected XSS via a search query.

Published: January 13, 2020; 01:15:14 PM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20209

The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow nsecure Direct Object Reference (IDOR) via wp-admin/admin-ajax.php to delete any page/post/listing.

Published: January 13, 2020; 01:15:13 PM -05:00
V3.1: 7.5 HIGH
    V2: 6.4 MEDIUM
CVE-2020-6859

Multiple Insecure Direct Object Reference vulnerabilities in includes/core/class-files.php in the Ultimate Member plugin through 2.1.2 for WordPress allow remote attackers to change other users' profiles and cover photos via a modified user_id parameter. This is related to ajax_image_upload and ajax_resize_image.

Published: January 13, 2020; 12:15:11 PM -05:00
V3.1: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2014-6059

WordPress Advanced Access Manager Plugin before 2.8.2 has an Arbitrary File Overwrite Vulnerability

Published: January 13, 2020; 08:15:12 AM -05:00
V3.1: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2014-4561

The ultimate-weather plugin 1.0 for WordPress has XSS

Published: January 10, 2020; 09:15:10 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2011-4595

Pretty-Link WordPress plugin 1.5.2 has XSS

Published: January 10, 2020; 09:15:09 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2014-4530

flog plugin 0.1 for WordPress has XSS

Published: January 10, 2020; 08:15:12 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-20182

The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter.

Published: January 09, 2020; 05:15:13 PM -05:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2019-20181

The awesome-support plugin 5.8.0 for WordPress allows XSS via the post_title parameter.

Published: January 09, 2020; 05:15:13 PM -05:00
V3.1: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2019-20180

The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users.

Published: January 09, 2020; 04:15:11 PM -05:00
V3.1: 6.8 MEDIUM
    V2: 6.0 MEDIUM
CVE-2020-6168

A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows authenticated users with basic access to enable and disable maintenance-mode settings (impacting the availability and confidentiality of a vulnerable site, along with the integrity of the setting).

Published: January 09, 2020; 03:15:11 PM -05:00
V3.1: 7.6 HIGH
    V2: 6.5 MEDIUM
CVE-2020-6166

A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.15, allows authenticated users with basic access to export settings and change maintenance-mode themes.

Published: January 09, 2020; 03:15:11 PM -05:00
V3.1: 5.4 MEDIUM
    V2: 5.5 MEDIUM
CVE-2020-6167

A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows a CSRF attack to enable maintenance mode, inject XSS, modify several important settings, or include remote files as a logo.

Published: January 09, 2020; 02:15:10 PM -05:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-20361

There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

Published: January 08, 2020; 01:15:12 AM -05:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH