National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,720 matching records.
Displaying matches 1641 through 1660.
Vuln ID Summary CVSS Severity
CVE-2015-5308

Multiple SQL injection vulnerabilities in cs_admin_users.php in the wp-championship plugin 5.8 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) user, (2) isadmin, (3) mail service, (4) mailresceipt, (5) stellv, (6) champtipp, (7) tippgroup, or (8) userid parameter.

Published: November 02, 2015; 02:59:07 PM -05:00
    V2: 7.5 HIGH
CVE-2015-5291

Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0.

Published: November 02, 2015; 02:59:05 PM -05:00
    V2: 6.8 MEDIUM
CVE-2015-7683

Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to AjaxProxy.php.

Published: October 16, 2015; 04:59:16 PM -04:00
    V2: 4.0 MEDIUM
CVE-2015-7682

Multiple SQL injection vulnerabilities in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for WordPress allow remote administrators to execute arbitrary SQL commands via the (1) select_invitaion_code_bulk_option or (2) invi_del_id parameter in the pie-invitation-codes page to wp-admin/admin.php.

Published: October 16, 2015; 04:59:15 PM -04:00
    V2: 6.5 MEDIUM
CVE-2015-7377

Cross-site scripting (XSS) vulnerability in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the invitaion_code parameter in a pie-register page to the default URI.

Published: October 16, 2015; 04:59:14 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-7320

Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: September 29, 2015; 03:59:07 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-7319

SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updating the username.

Published: September 29, 2015; 03:59:05 PM -04:00
    V2: 7.5 HIGH
CVE-2015-7386

Multiple cross-site scripting (XSS) vulnerabilities in includes/metaboxes.php in the Gallery - Photo Albums - Portfolio plugin 1.3.47 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) Media Title or (2) Media Subtitle fields.

Published: September 28, 2015; 11:59:03 AM -04:00
    V2: 3.5 LOW
CVE-2015-6238

Multiple cross-site scripting (XSS) vulnerabilities in the Google Analyticator plugin before 6.4.9.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) ga_adsense, (2) ga_admin_disable_DimentionIndex, (3) ga_downloads_prefix, (4) ga_downloads, or (5) ga_outbound_prefix parameter in the google-analyticator page to wp-admin/admin.php.

Published: September 21, 2015; 03:59:01 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-7235

Multiple SQL injection vulnerabilities in dex_reservations.php in the CP Reservation Calendar plugin before 1.1.7 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a dex_reservations_calendar_load2 action or (2) dex_item parameter in a dex_reservations_check_posted_data action in a request to the default URI.

Published: September 17, 2015; 12:59:14 PM -04:00
    V2: 7.5 HIGH
CVE-2015-6965

Multiple cross-site request forgery (CSRF) vulnerabilities in the Contact Form Generator plugin 2.0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) create a field, (2) update a field, (3) delete a field, (4) create a form, (5) update a form, (6) delete a form, (7) create a template, (8) update a template, (9) delete a template, or (10) conduct cross-site scripting (XSS) attacks via a crafted request to the cfg_forms page in wp-admin/admin.php.

Published: September 16, 2015; 10:59:06 AM -04:00
    V2: 6.8 MEDIUM
CVE-2015-6829

Multiple SQL injection vulnerabilities in the getip function in wp-limit-login-attempts.php in the WP Limit Login Attempts plugin before 2.0.1 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) X-Forwarded-For or (2) Client-IP HTTP header.

Published: September 16, 2015; 10:59:05 AM -04:00
    V2: 7.5 HIGH
CVE-2015-6828

The tweet_info function in class/__functions.php in the SecureMoz Security Audit plugin 1.0.5 and earlier for WordPress does not use an HTTPS session for downloading serialized data, which allows man-in-the-middle attackers to conduct PHP object injection attacks and execute arbitrary PHP code by modifying the client-server data stream. NOTE: some of these details are obtained from third party information.

Published: September 16, 2015; 10:59:04 AM -04:00
    V2: 6.8 MEDIUM
CVE-2015-5472

Absolute path traversal vulnerability in lib/download.php in the IBS Mappro plugin before 1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.

Published: September 15, 2015; 02:59:00 PM -04:00
    V2: 7.8 HIGH
CVE-2015-6920

Cross-site scripting (XSS) vulnerability in js/window.php in the sourceAFRICA plugin 0.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.

Published: September 11, 2015; 04:59:02 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-6805

Cross-site scripting (XSS) vulnerability in the MDC Private Message plugin 1.0.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the message field in a private message.

Published: September 02, 2015; 10:59:06 AM -04:00
    V2: 3.5 LOW
CVE-2015-2807

Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter.

Published: September 01, 2015; 10:59:02 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-6535

Cross-site scripting (XSS) vulnerability in includes/options-profiles.php in the YouTube Embed plugin before 3.3.3 for WordPress allows remote administrators to inject arbitrary web script or HTML via the Profile name field (youtube_embed_name parameter).

Published: August 31, 2015; 02:59:09 PM -04:00
    V2: 3.5 LOW
CVE-2015-1171

Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.

Published: August 28, 2015; 05:59:01 PM -04:00
    V2: 10.0 HIGH
CVE-2015-6523

Cross-site request forgery (CSRF) vulnerability in the Portfolio plugin before 1.05 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the instagram-portfolio page in wp-admin/options-general.php.

Published: August 19, 2015; 11:59:13 AM -04:00
    V2: 6.8 MEDIUM