National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): PHP
  • Search Type: Search All
  • Contains Software Flaws (CVE)
There are 26,562 matching records.
Displaying matches 41 through 60.
Vuln ID Summary CVSS Severity
CVE-2019-16289

The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.

Published: September 13, 2019; 11:15:11 AM -04:00
V3.1: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2019-13364

admin.php?page=account_billing in Piwigo 2.9.5 has XSS via the vat_number, billing_name, company, or billing_address parameter. This is exploitable via CSRF.

Published: September 13, 2019; 09:15:11 AM -04:00
V3.1: 9.6 CRITICAL
    V2: 6.8 MEDIUM
CVE-2019-13363

admin.php?page=notification_by_mail in Piwigo 2.9.5 has XSS via the nbm_send_html_mail, nbm_send_mail_as, nbm_send_detailed_content, nbm_complementary_mail_content, nbm_send_recent_post_dates, or param_submit parameter. This is exploitable via CSRF.

Published: September 13, 2019; 09:15:11 AM -04:00
V3.1: 9.6 CRITICAL
    V2: 6.8 MEDIUM
CVE-2019-12922

A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.

Published: September 13, 2019; 09:15:11 AM -04:00
V3.1: 6.5 MEDIUM
    V2: 5.8 MEDIUM
CVE-2019-12517

An XSS issue was discovered in the slickquiz plugin through 1.3.7.1 for WordPress. The save_quiz_score functionality available via the /wp-admin/admin-ajax.php endpoint allows unauthenticated users to submit quiz solutions/answers, which are stored in the database and later shown in the WordPress backend for all users with at least Subscriber rights. Because the plugin does not properly validate and sanitize this data, a malicious payload in either the name or email field is executed directly within the backend at /wp-admin/admin.php?page=slickquiz across all users with the privileges of at least Subscriber.

Published: September 13, 2019; 09:15:11 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-12516

The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injection by Subscriber users, as demonstrated by a /wp-admin/admin.php?page=slickquiz-scores&id= or /wp-admin/admin.php?page=slickquiz-edit&id= or /wp-admin/admin.php?page=slickquiz-preview&id= URI.

Published: September 13, 2019; 09:15:11 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.5 MEDIUM
CVE-2016-10952

The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter.

Published: September 13, 2019; 09:15:10 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-18614

The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter.

Published: September 13, 2019; 08:15:11 AM -04:00
V3.1: 8.1 HIGH
    V2: 9.3 HIGH
CVE-2017-18613

The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin.php?page=trust-form-edit page parameter.

Published: September 13, 2019; 08:15:11 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-18612

The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/func-whois.php domain parameter.

Published: September 13, 2019; 08:15:11 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-10945

The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF.

Published: September 13, 2019; 08:15:11 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2016-10944

The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp-admin/tools.php?page=mpd CSRF.

Published: September 13, 2019; 08:15:11 AM -04:00
V3.1: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2019-6003

Cross-site scripting vulnerability in EC-CUBE plugin 'Amazon Pay Plugin 2.12,2.13' version 2.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: September 12, 2019; 01:15:14 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16238

Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged for session hijacking by retrieving the session cookie from the administrator login.

Published: September 12, 2019; 12:15:11 PM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16250

includes/wizard/wizard.php in the Ocean Extra plugin through 1.5.8 for WordPress allows unauthenticated options changes and injection of a Cascading Style Sheets (CSS) token sequence.

Published: September 11, 2019; 07:15:14 PM -04:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-14936

Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Information Disclosure (Username and Password Hash).

Published: September 11, 2019; 03:15:11 PM -04:00
V3.1: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2019-13473

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have an undocumented TELNET service within the BusyBox subsystem, leading to root access.

Published: September 11, 2019; 03:15:11 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 10.0 HIGH
CVE-2019-16222

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

Published: September 11, 2019; 10:15:12 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-16220

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.

Published: September 11, 2019; 10:15:11 AM -04:00
V3.1: 6.1 MEDIUM
    V2: 5.8 MEDIUM
CVE-2019-15896

An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulnerability that could lead to privilege escalation (administrator account creation), website redirection, and stored XSS.

Published: September 10, 2019; 12:15:12 PM -04:00
V3.1: 9.8 CRITICAL
    V2: 7.5 HIGH