National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,705 matching records.
Displaying matches 1661 through 1680.
Vuln ID Summary CVSS Severity
CVE-2015-5461

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.

Published: July 08, 2015; 12:59:04 PM -04:00
    V2: 6.4 MEDIUM
CVE-2015-4616

Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. (dot dot) in the map_id parameter.

Published: July 08, 2015; 12:59:02 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-4614

Multiple SQL injection vulnerabilities in includes/Function.php in the Easy2Map plugin before 1.2.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the mapName parameter in an e2m_img_save_map_name action to wp-admin/admin-ajax.php and other unspecified vectors.

Published: July 08, 2015; 12:59:00 PM -04:00
    V2: 7.5 HIGH
CVE-2014-1750

Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as a cross-site scripting (XSS) vulnerability, but this may be inaccurate.

Published: July 01, 2015; 10:59:00 AM -04:00
    V2: 5.8 MEDIUM
CVE-2015-5151

Cross-site scripting (XSS) vulnerability in the Slider Revolution (revslider) plugin 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the client_action parameter in a revslider_ajax_action action to wp-admin/admin-ajax.php.

Published: June 30, 2015; 10:59:08 AM -04:00
    V2: 4.3 MEDIUM
CVE-2014-9735

The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin action; (2) delete arbitrary sliders via a delete_slider action; and (3) create, (4) update, (5) import, or (6) export arbitrary sliders via unspecified vectors.

Published: June 30, 2015; 10:59:03 AM -04:00
    V2: 7.5 HIGH
CVE-2014-9734

Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

Published: June 30, 2015; 10:59:00 AM -04:00
    V2: 5.0 MEDIUM
CVE-2015-5065

Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl parameter.

Published: June 24, 2015; 10:59:07 AM -04:00
    V2: 5.0 MEDIUM
CVE-2015-4413

Cross-site scripting (XSS) vulnerability in the new_fb_sign_button function in nextend-facebook-connect.php in Nextend Facebook Connect plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter.

Published: June 24, 2015; 10:59:02 AM -04:00
    V2: 4.3 MEDIUM
CVE-2015-4140

Cross-site request forgery (CSRF) vulnerability in the WP Smiley plugin 1.4.1 for WordPress allows remote attackers to hijack the authentication of editors for requests that conduct cross-site scripting (XSS) attacks via the s4w-more parameter to the smilies4wp.php page to wp-admin/options-general.php.

Published: June 18, 2015; 02:59:03 PM -04:00
    V2: 6.8 MEDIUM
CVE-2015-4139

Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP Smiley plugin 1.4.1 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the s4w-more parameter to wp-admin/options-general.php.

Published: June 18, 2015; 02:59:02 PM -04:00
    V2: 3.5 LOW
CVE-2015-4414

Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

Published: June 17, 2015; 02:59:08 PM -04:00
    V2: 5.0 MEDIUM
CVE-2015-4338

Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php.

Published: June 17, 2015; 02:59:06 PM -04:00
    V2: 6.5 MEDIUM
CVE-2015-4337

Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php.

Published: June 17, 2015; 02:59:05 PM -04:00
    V2: 3.5 LOW
CVE-2015-4336

cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file.

Published: June 17, 2015; 02:59:04 PM -04:00
    V2: 6.5 MEDIUM
CVE-2015-3429

Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier.

Published: June 17, 2015; 02:59:03 PM -04:00
    V2: 4.3 MEDIUM
CVE-2012-6692

Cross-site scripting (XSS) vulnerability in js/wp-seo-metabox.js in the WordPress SEO by Yoast plugin before 2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the post_title parameter to wp-admin/post-new.php, which is not properly handled in the snippet preview functionality.

Published: June 17, 2015; 02:59:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-4465

Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: June 10, 2015; 02:59:10 PM -04:00
    V2: 4.3 MEDIUM
CVE-2015-4153

Directory traversal vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to include and execute arbitrary php files via a relative path in the template parameter in a load_template action to wp-admin/admin-ajax.php.

Published: June 10, 2015; 02:59:07 PM -04:00
    V2: 5.0 MEDIUM
CVE-2014-8607

The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command.

Published: June 10, 2015; 02:59:04 PM -04:00
    V2: 2.1 LOW