U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 4,165 matching records.
Displaying matches 3,561 through 3,580.
Vuln ID Summary CVSS Severity
CVE-2014-2315

Multiple cross-site scripting (XSS) vulnerabilities in the Thank You Counter Button plugin 1.8.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) thanks_caption, (2) thanks_caption_style, or (3) thanks_style parameter to wp-admin/options.php.

Published: March 09, 2014; 9:16:57 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-1907

Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_login.php or (2) delete arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_logout.php.

Published: March 06, 2014; 10:55:28 AM -0500
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2014-1906

Multiple cross-site scripting (XSS) vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) m parameter to lb_status.php; (2) msg parameter to vc_chatlog.php; n parameter to (3) channel.php, (4) htmlchat.php, (5) video.php, or (6) videotext.php; (7) message parameter to lb_logout.php; or ct parameter to (8) lb_status.php or (9) v_status.php in ls/.

Published: March 06, 2014; 10:55:28 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-3478

SQL injection vulnerability in Apptha WordPress Video Gallery 2.0, 1.6, and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the playid parameter to index.php.

Published: March 05, 2014; 11:37:40 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-2040

Multiple cross-site scripting (XSS) vulnerabilities in the (1) callback_multicheck, (2) callback_radio, and (3) callback_wysiwygin functions in mfrh_class.settings-api.php in the Media File Renamer plugin 1.7.0 for WordPress allow remote authenticated users with permissions to add media or edit media to inject arbitrary web script or HTML via unspecified parameters, as demonstrated by the title of an uploaded file.

Published: March 03, 2014; 1:55:03 PM -0500
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2014-1840

Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message.

Published: March 03, 2014; 11:55:04 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-3487

Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php.

Published: March 03, 2014; 11:55:03 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-1409

Cross-site scripting (XSS) vulnerability in the CommentLuv plugin before 2.92.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _ajax_nonce parameter to wp-admin/admin-ajax.php.

Published: March 03, 2014; 11:55:03 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-1888

Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889.

Published: February 28, 2014; 7:01:09 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-1854

SQL injection vulnerability in library/clicktracker.php in the AdRotate Pro plugin 3.9 through 3.9.5 and AdRotate Free plugin 3.9 through 3.9.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter.

Published: February 27, 2014; 10:55:15 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2013-7319

Cross-site scripting (XSS) vulnerability in the Download Manager plugin before 2.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the title field.

Published: February 06, 2014; 11:10:59 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-2074

kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers to discover credentials via a crafted request that triggers an "internal server error," which includes the username and password in an error message.

Published: February 05, 2014; 2:55:28 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2011-3377

The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x before 1.1.4 allows remote attackers to bypass the Same Origin Policy (SOP) and execute arbitrary script or establish network connections to unintended hosts via an applet whose origin has the same second-level domain, but a different sub-domain than the targeted domain.

Published: February 05, 2014; 2:55:28 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-1852

SQL injection vulnerability in leaguemanager.php in the LeagueManager plugin before 3.8.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the league_id parameter in the leaguemanager-export page to wp-admin/admin.php.

Published: February 05, 2014; 10:10:04 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-6635

wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft.

Published: January 20, 2014; 8:55:03 PM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2012-6634

wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value.

Published: January 20, 2014; 8:55:03 PM -0500
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2012-6633

Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field.

Published: January 20, 2014; 8:55:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-5270

wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role.

Published: January 20, 2014; 8:55:03 PM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2010-5297

WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.

Published: January 20, 2014; 8:55:03 PM -0500
V3.x:(not available)
V2.0: 2.1 LOW
CVE-2010-5296

wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.

Published: January 20, 2014; 8:55:03 PM -0500
V3.x:(not available)
V2.0: 4.9 MEDIUM