National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,795 matching records.
Displaying matches 221 through 240.
Vuln ID Summary CVSS Severity
CVE-2015-9464

The s3bubble-amazon-s3-html-5-video-with-adverts plugin 0.7 for WordPress has directory traversal via the adverts/assets/plugins/ultimate/content/downloader.php path parameter.

Published: October 10, 2019; 12:15:11 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2015-9462

The awesome-filterable-portfolio plugin before 1.9 for WordPress has afp_get_new_category_page SQL injection via the cat_id parameter.

Published: October 10, 2019; 12:15:11 PM -04:00
V3.1: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2015-9461

The awesome-filterable-portfolio plugin before 1.9 for WordPress has afp_get_new_portfolio_item_page SQL injection via the item_id parameter.

Published: October 10, 2019; 12:15:11 PM -04:00
V3.1: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2015-9460

The booking-system plugin before 2.1 for WordPress has DOPBSPBackEndTranslation::display SQL injection via the language parameter.

Published: October 10, 2019; 12:15:11 PM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2015-9459

The searchterms-tagging-2 plugin through 1.535 for WordPress has XSS via the wp-admin/options-general.php count parameter.

Published: October 10, 2019; 12:15:11 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-9458

The searchterms-tagging-2 plugin through 1.535 for WordPress has SQL injection via the pk_stt2_db_get_popular_terms count parameter exploitable via CSRF.

Published: October 10, 2019; 12:15:11 PM -04:00
V3.1: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2015-9457

The pretty-link plugin before 1.6.8 for WordPress has PrliLinksController::list_links SQL injection via the group parameter.

Published: October 10, 2019; 12:15:10 PM -04:00
V3.1: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2019-17072

The new-contact-form-widget (aka Contact Form Widget - Contact Query, Form Maker) plugin 1.0.9 for WordPress has SQL Injection via all-query-page.php.

Published: October 10, 2019; 08:10:19 AM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2019-17071

The client-dash (aka Client Dash) plugin 2.1.4 for WordPress allows XSS.

Published: October 10, 2019; 08:10:19 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-17070

The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1.0.7 for WordPress allows XSS with Internet Explorer.

Published: October 10, 2019; 08:10:19 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-17385

The animate-it plugin before 2.3.5 for WordPress has XSS.

Published: October 09, 2019; 12:15:15 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-17384

The animate-it plugin before 2.3.4 for WordPress has XSS.

Published: October 09, 2019; 12:15:15 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-17233

Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection.

Published: October 07, 2019; 07:15:10 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-17232

Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows unauthenticated options import.

Published: October 07, 2019; 07:15:10 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-17239

includes/settings/class-alg-download-plugins-settings.php in the download-plugins-dashboard plugin through 1.5.0 for WordPress has multiple unauthenticated stored XSS issues.

Published: October 07, 2019; 06:15:10 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16913

PC Protect Antivirus v4.14.31 installs by default to %PROGRAMFILES(X86)%\PCProtect with very weak folder permissions, granting any user full permission "Everyone: (F)" to the contents of the directory and its subfolders. In addition, the program installs a service called SecurityService that runs as LocalSystem. This allows any user to escalate privileges to "NT AUTHORITY\SYSTEM" by substituting the service's binary with a Trojan horse.

Published: October 07, 2019; 06:15:10 PM -04:00
V3.1: 7.8 HIGH
    V2: 7.2 HIGH
CVE-2015-9456

The orbisius-child-theme-creator plugin before 1.2.8 for WordPress has incorrect access control for file modification via the wp-admin/admin-ajax.php?action=orbisius_ctc_theme_editor_ajax&sub_cmd=save_file theme_1, theme_1_file, or theme_1_file_contents parameter.

Published: October 07, 2019; 11:15:10 AM -04:00
V3.1: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2015-9455

The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images action.

Published: October 07, 2019; 11:15:10 AM -04:00
V3.1: 8.1 HIGH
    V2: 7.8 HIGH
CVE-2015-9454

The smooth-slider plugin before 2.7 for WordPress has SQL Injection via the wp-admin/admin.php?page=smooth-slider-admin current_slider_id parameter.

Published: October 07, 2019; 11:15:10 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2015-9453

The broken-link-manager plugin before 0.6.0 for WordPress has XSS via the HTTP Referer or User-Agent header to a URL that does not exist.

Published: October 07, 2019; 11:15:10 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM