Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2014-8955 |
Cross-site scripting (XSS) vulnerability in the Contact Form Clean and Simple (clean-and-simple-contact-form-by-meg-nicholas) plugin 4.4.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the cscf[name] parameter to contact-us/. Published: November 17, 2014; 11:59:11 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-8949 |
The iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to allow remote attackers to execute code. NOTE: it is not clear whether this issue itself crosses privileges. Published: November 16, 2014; 6:59:05 AM -0500 |
V3.x:(not available) V2.0: 6.0 MEDIUM |
CVE-2014-8948 |
Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote attackers to hijack the authentication of administrators for requests that with an unspecified impact via the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to execute arbitrary commands. Published: November 16, 2014; 6:59:04 AM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-7959 |
SQL injection vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tableprefix parameter. Published: November 06, 2014; 10:55:08 AM -0500 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2014-7958 |
Cross-site scripting (XSS) vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dbhost parameter. Published: November 06, 2014; 10:55:08 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-4664 |
Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the whoisval parameter on the WordfenceWhois page to wp-admin/admin.php. Published: November 06, 2014; 10:55:08 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-8622 |
Cross-site scripting (XSS) vulnerability in compfight-search.php in the Compfight plugin 1.4 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the search-value parameter. Published: November 05, 2014; 6:55:02 PM -0500 |
V3.x:(not available) V2.0: 3.5 LOW |
CVE-2014-8586 |
SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter. Published: November 04, 2014; 10:55:06 AM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-8585 |
Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php. Published: November 04, 2014; 10:55:06 AM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-8584 |
Cross-site scripting (XSS) vulnerability in the Web Dorado Spider Video Player (aka WordPress Video Player) plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Published: November 04, 2014; 10:55:06 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-7228 |
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive. Published: November 03, 2014; 5:55:08 PM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-8334 |
The WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) $backup['filepath'] (aka "Path to Backup:" field) or (2) $backup['mysqldumppath'] variable. Published: October 31, 2014; 10:55:10 AM -0400 |
V3.x:(not available) V2.0: 6.5 MEDIUM |
CVE-2014-4586 |
Multiple cross-site scripting (XSS) vulnerabilities in the wp-football plugin 1.1 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the league parameter to (1) football_classification.php, (2) football_criteria.php, (3) templates/template_default_preview.php, or (4) templates/template_worldCup_preview.php; the (5) f parameter to football-functions.php; the id parameter in an "action" action to (6) football_groups_list.php, (7) football_matches_list.php, (8) football_matches_phase.php, or (9) football_phases_list.php; or the (10) id_league parameter in a delete action to football_matches_load.php. Published: October 27, 2014; 6:55:10 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2003-1599 |
PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable. Published: October 27, 2014; 4:55:07 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2014-6230 |
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header. Published: October 24, 2014; 8:55:03 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-7182 |
Multiple cross-site scripting (XSS) vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the poly_id parameter in an (1) edit_poly, (2) edit_polyline, or (3) edit_marker action in the wp-google-maps-menu page to wp-admin/admin.php. Published: October 22, 2014; 10:55:06 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-4577 |
Absolute path traversal vulnerability in reviews.php in the WP AmASIN - The Amazon Affiliate Shop plugin 0.9.6 and earlier for WordPress allows remote attackers to read arbitrary files via a full pathname in the url parameter. Published: October 21, 2014; 11:55:06 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-4517 |
Cross-site scripting (XSS) vulnerability in getNetworkSites.php in the CBI Referral Manager plugin 1.2.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the searchString parameter. Published: October 21, 2014; 11:55:06 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-4514 |
Cross-site scripting (XSS) vulnerability in includes/api_tenpay/inc.tenpay_notify.php in the Alipay plugin 3.6.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via vectors related to the getDebugInfo function. Published: October 21, 2014; 11:55:06 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-8375 |
SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selected_group parameter in a gb_ajax_get_group action to wp-admin/admin-ajax.php. Published: October 21, 2014; 10:55:04 AM -0400 |
V3.x:(not available) V2.0: 6.5 MEDIUM |