U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 3,971 matching records.
Displaying matches 3,181 through 3,200.
Vuln ID Summary CVSS Severity
CVE-2014-3903

Cross-site scripting (XSS) vulnerability in the Cakifo theme 1.x before 1.6.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via crafted Exif data.

Published: August 19, 2014; 7:16:59 AM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2014-5266

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

Published: August 18, 2014; 7:15:27 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-5265

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Published: August 18, 2014; 7:15:27 AM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-5240

Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.

Published: August 18, 2014; 7:15:27 AM -0400
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2014-5205

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Published: August 18, 2014; 7:15:26 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-5204

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

Published: August 18, 2014; 7:15:26 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-5203

wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.

Published: August 18, 2014; 7:15:26 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-5202

Cross-site scripting (XSS) vulnerability in compfight-search.php in the Compfight plugin 1.4 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the search-value parameter.

Published: August 12, 2014; 7:55:04 PM -0400
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2014-5201

SQL injection vulnerability in the Gallery Objects plugin 0.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the viewid parameter in a go_view_object action to wp-admin/admin-ajax.php.

Published: August 12, 2014; 4:55:04 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-5200

SQL injection vulnerability in game_play.php in the FB Gorilla plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: August 12, 2014; 4:55:04 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-5199

Cross-site request forgery (CSRF) vulnerability in the WordPress File Upload plugin (wp-file-upload) before 2.4.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.

Published: August 12, 2014; 4:55:04 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-5196

Cross-site request forgery (CSRF) vulnerability in improved-user-search-in-backend.php in the backend in the Improved user search in backend plugin before 1.2.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that insert XSS sequences via the iusib_meta_fields parameter.

Published: August 12, 2014; 4:55:03 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-5190

Cross-site scripting (XSS) vulnerability in captcha-secureimage/test/index.php in the SI CAPTCHA Anti-Spam plugin 2.7.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

Published: August 07, 2014; 7:13:36 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-5189

SQL injection vulnerability in lib/optin/optin_page.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: August 07, 2014; 7:13:36 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-5187

Directory traversal vulnerability in the Tom M8te (tom-m8te) plugin 1.5.3 for WordPress allows remote attackers to read arbitrary files via the file parameter to tom-download-file.php.

Published: August 06, 2014; 3:55:04 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-5186

SQL injection vulnerability in the All Video Gallery (all-video-gallery) plugin 1.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit action in the allvideogallery_videos page to wp-admin/admin.php.

Published: August 06, 2014; 3:55:04 PM -0400
V3.x:(not available)
V2.0: 6.5 MEDIUM
CVE-2014-5185

SQL injection vulnerability in the Quartz plugin 1.01.1 for WordPress allows remote authenticated users with Contributor privileges to execute arbitrary SQL commands via the quote parameter in an edit action in the quartz/quote_form.php page to wp-admin/edit.php.

Published: August 06, 2014; 3:55:04 PM -0400
V3.x:(not available)
V2.0: 6.0 MEDIUM
CVE-2014-5184

SQL injection vulnerability in the stripshow-storylines page in the stripShow plugin 2.5.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the story parameter in an edit action to wp-admin/admin.php.

Published: August 06, 2014; 3:55:04 PM -0400
V3.x:(not available)
V2.0: 6.5 MEDIUM
CVE-2014-5183

SQL injection vulnerability in includes/mode-edit.php in the Simple Retail Menus (simple-retail-menus) plugin before 4.1 for WordPress allows remote authenticated editors to execute arbitrary SQL commands via the targetmenu parameter in an edit action to wp-admin/admin.php.

Published: August 06, 2014; 3:55:04 PM -0400
V3.x:(not available)
V2.0: 6.5 MEDIUM
CVE-2014-5182

Multiple SQL injection vulnerabilities in the yawpp plugin 1.2 for WordPress allow remote authenticated users with Contributor privileges to execute arbitrary SQL commands via vectors related to (1) admin_functions.php or (2) admin_update.php, as demonstrated by the id parameter in the update action to wp-admin/admin.php.

Published: August 06, 2014; 3:55:04 PM -0400
V3.x:(not available)
V2.0: 6.0 MEDIUM