National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,708 matching records.
Displaying matches 1641 through 1660.
Vuln ID Summary CVSS Severity
CVE-2015-6828

The tweet_info function in class/__functions.php in the SecureMoz Security Audit plugin 1.0.5 and earlier for WordPress does not use an HTTPS session for downloading serialized data, which allows man-in-the-middle attackers to conduct PHP object injection attacks and execute arbitrary PHP code by modifying the client-server data stream. NOTE: some of these details are obtained from third party information.

Published: September 16, 2015; 10:59:04 AM -04:00
    V2: 6.8 MEDIUM
CVE-2015-5472

Absolute path traversal vulnerability in lib/download.php in the IBS Mappro plugin before 1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.

Published: September 15, 2015; 02:59:00 PM -04:00
    V2: 7.8 HIGH
CVE-2015-6920

Cross-site scripting (XSS) vulnerability in js/window.php in the sourceAFRICA plugin 0.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.

Published: September 11, 2015; 04:59:02 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-6805

Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.

Published: September 02, 2015; 10:59:06 AM -04:00
    V2: 3.5 LOW
CVE-2015-2807

Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.

Published: September 01, 2015; 10:59:02 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-6535

Cross-site scripting (XSS) vulnerability in includes/options-profiles.php in the YouTube Embed plugin before 3.3.3 for WordPress allows remote administrators to inject arbitrary web script or HTML via the Profile name field (youtube_embed_name parameter).

Published: August 31, 2015; 02:59:09 PM -04:00
    V2: 3.5 LOW
CVE-2015-1171

Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

Published: August 28, 2015; 05:59:01 PM -04:00
    V2: 10.0 HIGH
CVE-2015-6523

Cross-site request forgery (CSRF) vulnerability in the Portfolio plugin before 1.05 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the instagram-portfolio page in wp-admin/options-general.php.

Published: August 19, 2015; 11:59:13 AM -04:00
    V2: 6.8 MEDIUM
CVE-2015-6522

SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php.

Published: August 19, 2015; 11:59:11 AM -04:00
    V2: 7.5 HIGH
CVE-2015-5482

Directory traversal vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the tab parameter in the gdbbpress_attachments page to wp-admin/edit.php.

Published: August 18, 2015; 01:59:17 PM -04:00
    V2: 4.0 MEDIUM
CVE-2015-5481

Cross-site scripting (XSS) vulnerability in forms/panels.php in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter in the gdbbpress_attachments page to wp-admin/edit.php.

Published: August 18, 2015; 01:59:13 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-5681

Unrestricted file upload vulnerability in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in *_uploadfolder/big/.

Published: August 18, 2015; 11:59:06 AM -04:00
    V2: 7.5 HIGH
CVE-2015-5599

Multiple SQL injection vulnerabilities in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) albumid or (2) name parameter.

Published: August 18, 2015; 11:59:03 AM -04:00
    V2: 7.5 HIGH
CVE-2015-5485

Cross-site scripting (XSS) vulnerability in the Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "error" parameter to wp-admin/edit.php.

Published: August 18, 2015; 11:59:02 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-5535

Cross-site scripting (XSS) vulnerability in the qTranslate plugin 2.5.39 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the edit parameter in the qtranslate page to wp-admin/options-general.php.

Published: August 13, 2015; 10:59:07 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-2321

Cross-site scripting (XSS) vulnerability in the Job Manager plugin 0.7.22 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the email field.

Published: August 13, 2015; 10:59:00 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-3439

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

Published: August 05, 2015; 06:59:00 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-3438

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.

Published: August 04, 2015; 09:59:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-5623

WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.

Published: August 03, 2015; 10:59:02 AM -04:00
    V2: 4.0 MEDIUM
CVE-2015-5622

Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php.

Published: August 03, 2015; 10:59:01 AM -04:00
    V2: 3.5 LOW