National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,707 matching records.
Displaying matches 1521 through 1540.
Vuln ID Summary CVSS Severity
CVE-2016-0765

Multiple cross-site scripting (XSS) vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page or (2) action parameter.

Published: January 23, 2017; 04:59:00 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-6897

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.

Published: January 18, 2017; 04:59:00 PM -05:00
V3.0: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-6896

Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

Published: January 18, 2017; 04:59:00 PM -05:00
V3.0: 7.1 HIGH
    V2: 5.5 MEDIUM
CVE-2016-10148

The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.

Published: January 18, 2017; 04:59:00 PM -05:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2017-5493

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

Published: January 14, 2017; 09:59:03 PM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2017-5492

Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.

Published: January 14, 2017; 09:59:03 PM -05:00
V3.0: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2017-5491

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2017-5490

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-5489

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2017-5488

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-5487

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2016-7169

Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.

Published: January 04, 2017; 09:59:03 PM -05:00
V3.0: 6.3 MEDIUM
    V2: 6.5 MEDIUM
CVE-2016-7168

Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.

Published: January 04, 2017; 09:59:03 PM -05:00
V3.0: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2016-10112

Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.

Published: January 03, 2017; 09:59:03 PM -05:00
V3.0: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2016-1000156

Mailcwp remote file upload vulnerability incomplete fix v1.100

Published: December 14, 2016; 01:59:00 PM -05:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2016-8633

drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets.

Published: November 27, 2016; 10:59:06 PM -05:00
V3.0: 6.8 MEDIUM
    V2: 6.2 MEDIUM
CVE-2016-7165

A vulnerability has been identified in Primary Setup Tool (PST) (All versions < V4.2 HF1), SIMATIC IT Production Suite (All versions < V7.0 SP1 HFX 2), SIMATIC NET PC-Software (All versions < V14), SIMATIC PCS 7 V7.1 (All versions), SIMATIC PCS 7 V8.0 (All versions), SIMATIC PCS 7 V8.1 (All versions), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1), SIMATIC STEP 7 (TIA Portal) V13 (All versions < V13 SP2), SIMATIC STEP 7 V5.X (All versions < V5.5 SP4 HF11), SIMATIC WinCC (TIA Portal) Basic, Comfort, Advanced (All versions < V14), SIMATIC WinCC (TIA Portal) Professional V13 (All versions < V13 SP2), SIMATIC WinCC (TIA Portal) Professional V14 (All versions < V14 SP1), SIMATIC WinCC Runtime Professional V13 (All versions < V13 SP2), SIMATIC WinCC Runtime Professional V14 (All versions < V14 SP1), SIMATIC WinCC V7.0 SP2 and earlier versions (All versions < V7.0 SP2 Upd 12), SIMATIC WinCC V7.0 SP3 (All versions < V7.0 SP3 Upd 8), SIMATIC WinCC V7.2 (All versions < V7.2 Upd 14), SIMATIC WinCC V7.3 (All versions < V7.3 Upd 11), SIMATIC WinCC V7.4 (All versions < V7.4 SP1), SIMIT V9.0 (All versions < V9.0 SP1), SINEMA Remote Connect Client (All versions < V1.0 SP3), SINEMA Server (All versions < V13 SP2), SOFTNET Security Client V5.0 (All versions), Security Configuration Tool (SCT) (All versions < V4.3 HF1), TeleControl Server Basic (All versions < V3.0 SP2), WinAC RTX 2010 SP2 (All versions), WinAC RTX F 2010 SP2 (All versions). Unquoted service paths could allow local Microsoft Windows operating system users to escalate their privileges if the affected products are not installed under their default path ("C:\Program Files\*" or the localized equivalent).

Published: November 15, 2016; 02:30:02 PM -05:00
V3.0: 6.4 MEDIUM
    V2: 6.9 MEDIUM
CVE-2016-1000155

Reflected XSS in wordpress plugin wpsolr-search-engine v7.6

Published: October 10, 2016; 04:59:33 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-1000154

Reflected XSS in wordpress plugin whizz v1.0.7

Published: October 10, 2016; 04:59:32 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-1000153

Reflected XSS in wordpress plugin tidio-gallery v1.1

Published: October 10, 2016; 04:59:31 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM