National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,721 matching records.
Displaying matches 1521 through 1540.
Vuln ID Summary CVSS Severity
CVE-2017-6103

Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1.

Published: March 02, 2017; 05:59:00 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-6102

Persistent XSS in wordpress plugin rockhoist-badges v1.2.2.

Published: March 02, 2017; 05:59:00 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-8636

Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology.

Published: February 22, 2017; 11:59:00 AM -05:00
V3.0: 7.8 HIGH
    V2: 7.2 HIGH
CVE-2017-6098

A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign_save.php (Requires authentication to Wordpress admin) with the POST Parameter: list_id.

Published: February 21, 2017; 02:59:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2017-6097

A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/campaign/count_of_send.php (Requires authentication to Wordpress admin) with the POST Parameter: camp_id.

Published: February 21, 2017; 02:59:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2017-6096

A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/view-list.php (Requires authentication to Wordpress admin) with the GET Parameter: filter_list.

Published: February 21, 2017; 02:59:00 AM -05:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2017-6095

A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.

Published: February 21, 2017; 02:59:00 AM -05:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2017-5942

An issue was discovered in the WP Mail plugin before 1.2 for WordPress. The replyto parameter when composing a mail allows for a reflected XSS. This would allow you to execute JavaScript in the context of the user receiving the mail.

Published: February 10, 2017; 02:59:00 AM -05:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-5940

Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does not comprehensively address dotfile cases during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-5180.

Published: February 09, 2017; 01:59:00 PM -05:00
V3.0: 8.8 HIGH
    V2: 4.6 MEDIUM
CVE-2017-5180

Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not consider the .Xauthority case during its attempt to prevent accessing user files with an euid of zero, which allows local users to conduct sandbox-escape attacks via vectors involving a symlink and the --private option.

Published: February 09, 2017; 01:59:00 PM -05:00
V3.0: 8.8 HIGH
    V2: 4.6 MEDIUM
CVE-2017-5612

Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.

Published: January 29, 2017; 11:59:00 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-5611

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.

Published: January 29, 2017; 11:59:00 PM -05:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2017-5610

wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.

Published: January 29, 2017; 11:59:00 PM -05:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2016-0769

Multiple SQL injection vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow (1) remote administrators to execute arbitrary SQL commands via the delid parameter or remote authenticated users to execute arbitrary SQL commands via the (2) view, (3) mark, or (4) change parameter.

Published: January 23, 2017; 04:59:00 PM -05:00
V3.0: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2016-0765

Multiple cross-site scripting (XSS) vulnerabilities in eshop-orders.php in the eShop plugin 6.3.14 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page or (2) action parameter.

Published: January 23, 2017; 04:59:00 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-6897

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.

Published: January 18, 2017; 04:59:00 PM -05:00
V3.0: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-6896

Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

Published: January 18, 2017; 04:59:00 PM -05:00
V3.0: 7.1 HIGH
    V2: 5.5 MEDIUM
CVE-2016-10148

The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.

Published: January 18, 2017; 04:59:00 PM -05:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2017-5493

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

Published: January 14, 2017; 09:59:03 PM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2017-5492

Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.

Published: January 14, 2017; 09:59:03 PM -05:00
V3.0: 8.8 HIGH
    V2: 6.8 MEDIUM