U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 4,132 matching records.
Displaying matches 3,081 through 3,100.
Vuln ID Summary CVSS Severity
CVE-2015-3439

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

Published: August 05, 2015; 6:59:00 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-3438

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.

Published: August 04, 2015; 9:59:00 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-5623

WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.

Published: August 03, 2015; 10:59:02 AM -0400
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2015-5622

Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php.

Published: August 03, 2015; 10:59:01 AM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2015-3440

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.

Published: August 03, 2015; 10:59:00 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-2973

Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php.

Published: July 24, 2015; 12:59:02 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-5528

Cross-site scripting (XSS) vulnerability in the save_order function in class-floating-social-bar.php in the Floating Social Bar plugin before 1.1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the items[] parameter in an fsb_save_order action to wp-admin/admin-ajax.php.

Published: July 16, 2015; 11:59:00 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-5461

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.

Published: July 08, 2015; 12:59:04 PM -0400
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2015-4616

Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. (dot dot) in the map_id parameter.

Published: July 08, 2015; 12:59:02 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-4614

Multiple SQL injection vulnerabilities in includes/Function.php in the Easy2Map plugin before 1.2.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the mapName parameter in an e2m_img_save_map_name action to wp-admin/admin-ajax.php and other unspecified vectors.

Published: July 08, 2015; 12:59:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-1750

Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as a cross-site scripting (XSS) vulnerability, but this may be inaccurate.

Published: July 01, 2015; 10:59:00 AM -0400
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2015-5151

Cross-site scripting (XSS) vulnerability in the Slider Revolution (revslider) plugin 4.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the client_action parameter in a revslider_ajax_action action to wp-admin/admin-ajax.php.

Published: June 30, 2015; 10:59:08 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-9735

The ThemePunch Slider Revolution (revslider) plugin before 3.0.96 for WordPress and Showbiz Pro plugin 1.7.1 and earlier for Wordpress does not properly restrict access to administrator AJAX functionality, which allows remote attackers to (1) upload and execute arbitrary files via an update_plugin action; (2) delete arbitrary sliders via a delete_slider action; and (3) create, (4) update, (5) import, or (6) export arbitrary sliders via unspecified vectors.

Published: June 30, 2015; 10:59:03 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-9734

Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.

Published: June 30, 2015; 10:59:00 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-5065

Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl parameter.

Published: June 24, 2015; 10:59:07 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-4413

Cross-site scripting (XSS) vulnerability in the new_fb_sign_button function in nextend-facebook-connect.php in Nextend Facebook Connect plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter.

Published: June 24, 2015; 10:59:02 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-4140

Cross-site request forgery (CSRF) vulnerability in the WP Smiley plugin 1.4.1 for WordPress allows remote attackers to hijack the authentication of editors for requests that conduct cross-site scripting (XSS) attacks via the s4w-more parameter to the smilies4wp.php page to wp-admin/options-general.php.

Published: June 18, 2015; 2:59:03 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2015-4139

Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP Smiley plugin 1.4.1 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the s4w-more parameter to wp-admin/options-general.php.

Published: June 18, 2015; 2:59:02 PM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2015-4414

Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

Published: June 17, 2015; 2:59:08 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-4338

Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php.

Published: June 17, 2015; 2:59:06 PM -0400
V3.x:(not available)
V2.0: 6.5 MEDIUM