U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 4,735 matching records.
Displaying matches 3,861 through 3,880.
Vuln ID Summary CVSS Severity
CVE-2014-9129

Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php.

Published: December 05, 2014; 10:59:04 AM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-8800

Cross-site scripting (XSS) vulnerability in nextend-facebook-settings.php in the Nextend Facebook Connect plugin before 1.5.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fb_login_button parameter in a newfb_update_options action.

Published: December 05, 2014; 10:59:02 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-9179

Cross-site scripting (XSS) vulnerability in the SupportEzzy Ticket System plugin 1.2.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the "URL (optional)" field in a new ticket.

Published: December 02, 2014; 11:59:16 AM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2014-9178

Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function.

Published: December 02, 2014; 11:59:15 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-9177

The HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPress allows remote attackers to obtain the installation path via a request to html5plus/playlist.php.

Published: December 02, 2014; 11:59:14 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-9176

Cross-site scripting (XSS) vulnerability in the InstaSqueeze Sexy Squeeze Pages plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter to lp/index.php.

Published: December 02, 2014; 11:59:13 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-9175

SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.

Published: December 02, 2014; 11:59:12 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-9174

Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Manually enter your UA code" (manual_ua_code_field) field in the General Settings.

Published: December 02, 2014; 11:59:10 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-9173

SQL injection vulnerability in view.php in the Google Doc Embedder plugin before 2.5.15 for WordPress allows remote attackers to execute arbitrary SQL commands via the gpid parameter.

Published: December 02, 2014; 11:59:09 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-8754

Open redirect vulnerability in track-click.php in the Ad-Manager plugin 1.1.2 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the out parameter.

Published: December 02, 2014; 11:59:01 AM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2014-8749

Server-side request forgery (SSRF) vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote attackers to trigger outbound requests that authenticate to arbitrary databases via the dbhost parameter.

Published: December 01, 2014; 10:59:07 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-8801

Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php.

Published: November 28, 2014; 10:59:09 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-8799

Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.

Published: November 28, 2014; 10:59:07 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-9100

Cross-site scripting (XSS) vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the idcode parameter in the whydowork_adsense page to wp-admin/options-general.php.

Published: November 26, 2014; 10:59:16 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-9099

Cross-site request forgery (CSRF) vulnerability in the WhyDoWork AdSense plugin 1.2 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the whydowork_adsense page in wp-admin/options-general.php.

Published: November 26, 2014; 10:59:15 AM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-9098

Multiple cross-site scripting (XSS) vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly before 2014-07-23, for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the videoadssearchQuery parameter to (1) videoads/videoads.php, (2) video/video.php, or (3) playlist/playlist.php.

Published: November 26, 2014; 10:59:14 AM -0500
V3.x:(not available)
V2.0: 3.5 LOW
CVE-2014-9097

Multiple SQL injection vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly as distributed before 2014-07-23, for WordPress allow (1) remote attackers to execute arbitrary SQL commands via the vid parameter in a myextract action to wp-admin/admin-ajax.php or (2) remote authenticated users to execute arbitrary SQL commands via the playlistId parameter in the newplaylist page or (3) videoId parameter in a newvideo page to wp-admin/admin.php.

Published: November 26, 2014; 10:59:13 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-9094

Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand parameter.

Published: November 26, 2014; 10:59:10 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-9039

wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message.

Published: November 25, 2014; 6:59:10 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2014-9038

wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource.

Published: November 25, 2014; 6:59:09 PM -0500
V3.x:(not available)
V2.0: 6.4 MEDIUM