U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 8,665 matching records.
Displaying matches 7,841 through 7,860.
Vuln ID Summary CVSS Severity
CVE-2015-1614

Multiple cross-site request forgery (CSRF) vulnerabilities in the Image Metadata Cruncher plugin for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) image_metadata_cruncher[alt] or (2) image_metadata_cruncher[caption] parameter in an update action in the image_metadata_cruncher_title page to wp-admin/options.php or (3) custom image meta tag to the image metadata cruncher page.

Published: February 19, 2015; 10:59:19 AM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2015-1494

The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the mfbfw[padding] parameter and exploited in the wild in February 2015.

Published: February 17, 2015; 10:59:05 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-1436

Cross-site scripting (XSS) vulnerability in the Easing Slider plugin before 2.2.0.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the edit parameter in the (1) easingslider_manage_customizations or (2) easingslider_edit_sliders page to wp-admin/admin.php.

Published: February 16, 2015; 10:59:07 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-1582

Multiple cross-site scripting (XSS) vulnerabilities in the Spider Facebook plugin before 1.0.11 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the appid parameter in a registration task to the default URI or remote administrators to inject arbitrary web script or HTML via the (2) asc_or_desc, (3) order_by, (4) page_number, (5) serch_or_not, or (6) search_events_by_title parameter in (a) the Spider_Facebook_manage page to wp-admin/admin.php or a (b) selectpagesforfacebook or (c) selectpostsforfacebook action to wp-admin/admin-ajax.php.

Published: February 11, 2015; 2:59:09 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-1581

Multiple cross-site request forgery (CSRF) vulnerabilities in the Mobile Domain plugin 1.5.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) domain, (3) text, (4) font, (5) fontcolor, (6) color, or (7) padding parameter in an add-domain action in the mobile-domain page to wp-admin/options-general.php.

Published: February 11, 2015; 2:59:08 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2015-1580

Multiple cross-site request forgery (CSRF) vulnerabilities in the Redirection Page plugin 1.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) source or (3) redir parameter in an add action in the redirection-page to wp-admin/options-general.php.

Published: February 11, 2015; 2:59:07 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2015-1579

Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php. NOTE: this vulnerability may be a duplicate of CVE-2014-9734.

Published: February 11, 2015; 2:59:06 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-1172

Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory.

Published: February 11, 2015; 2:59:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2015-1384

Cross-site scripting (XSS) vulnerability in the Banner Effect Header plugin before 1.2.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the banner_effect_divid parameter in the BannerEffectOptions page to wp-admin/options-general.php.

Published: February 03, 2015; 11:59:14 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-1393

SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/admin.php.

Published: February 02, 2015; 10:59:07 AM -0500
V3.x:(not available)
V2.0: 6.5 MEDIUM
CVE-2015-1385

Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress Podcasting plugin before 6.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cat parameter in a powerpress-editcategoryfeed action in the powerpressadmin_categoryfeeds.php page to wp-admin/admin.php.

Published: February 02, 2015; 10:59:05 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-1383

Cross-site scripting (XSS) vulnerability in the geo search widget in the Geo Mashup plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search key.

Published: February 02, 2015; 10:59:04 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-1376

pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

Published: January 28, 2015; 6:59:07 AM -0500
V3.x:(not available)
V2.0: 4.0 MEDIUM
CVE-2015-1375

pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

Published: January 28, 2015; 6:59:00 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2015-1366

Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter.

Published: January 27, 2015; 3:04:22 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-1365

Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.

Published: January 27, 2015; 3:04:21 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-8802

The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

Published: January 23, 2015; 10:59:00 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2015-1204

Cross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fs[resource] parameter in the wp-slim-view-2 page to wp-admin/admin.php.

Published: January 21, 2015; 10:28:39 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2015-1055

SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.

Published: January 16, 2015; 10:59:05 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-9570

Multiple cross-site scripting (XSS) vulnerabilities in the MyWebsiteAdvisor Simple Security plugin 1.1.5 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) datefilter parameter in the access_log page to wp-admin/users.php or (2) simple_security_ip_blacklist[] parameter in an add_blacklist_ip action in the ip_blacklist page to wp-admin/users.php.

Published: January 15, 2015; 10:59:20 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM