Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2018-15571 |
The Export Users to CSV plugin through 1.1.1 for WordPress allows CSV injection. Published: August 28, 2018; 1:29:01 PM -0400 |
V4.0:(not available) V3.0: 8.6 HIGH V2.0: 6.8 MEDIUM |
CVE-2014-4932 |
Cross-site scripting (XSS) vulnerability in the Wordfence Security plugin before 5.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the val parameter to whois.php. Published: August 28, 2018; 1:29:00 PM -0400 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-15877 |
The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request. Published: August 26, 2018; 3:29:00 AM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 9.0 HIGH |
CVE-2018-15876 |
An issue was discovered in the ajax-bootmodal-login plugin 1.4.3 for WordPress. The register form, login form, and password-recovery form require solving a CAPTCHA to perform actions. However, this is required only once per user session, and therefore one could send as many requests as one wished by automation. Published: August 26, 2018; 3:29:00 AM -0400 |
V4.0:(not available) V3.0: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2018-14028 |
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins. Published: August 10, 2018; 12:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2018-14430 |
The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows XSS via the fw_data [id][1], fw_data [id][2], fw_data [id][3], fw_data [id][4], or email field of the contact form, exploitable with an fw_send_email action to wp-admin/admin-ajax.php. Published: July 25, 2018; 7:29:00 PM -0400 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-13832 |
Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text, or JPG-Text. Published: July 16, 2018; 4:29:00 PM -0400 |
V4.0:(not available) V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2018-14071 |
The Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of post editor and other user input. Published: July 16, 2018; 9:29:00 AM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2016-6565 |
The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, or execute arbitrary code on the server in some circumstances (dependent on server configuration). Published: July 13, 2018; 4:29:01 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 6.0 MEDIUM |
CVE-2018-13136 |
The Ultimate Member (aka ultimatemember) plugin before 2.0.18 for WordPress has XSS via the wp-admin settings screen. Published: July 04, 2018; 4:29:00 AM -0400 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-12426 |
The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vulnerable to unauthenticated Remote Code Execution due to client-side validation of allowed file types, as demonstrated by a v1/remote_upload request with a .php filename and the image/jpeg content type. Published: July 02, 2018; 1:29:00 PM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2018-12895 |
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges. Published: June 26, 2018; 4:29:00 PM -0400 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2018-1000556 |
WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be exploitable via an attacker must craft an URL with payload and send to the user. Victim need to open the link to be affected by reflected XSS. . Published: June 26, 2018; 12:29:02 PM -0400 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-12636 |
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. Published: June 22, 2018; 12:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2018-11526 |
The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection. Published: June 19, 2018; 3:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2018-11525 |
The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection. Published: June 19, 2018; 3:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2018-12534 |
A SQL injection issue was discovered in the Quick Chat plugin before 4.00 for WordPress. Published: June 18, 2018; 10:29:00 AM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2018-10969 |
SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid. Published: June 17, 2018; 12:29:00 PM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2018-10363 |
An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Multiple parameters allow remote attackers to manipulate the values to change data such as prices. Published: June 13, 2018; 2:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2018-11709 |
wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the URI. Published: June 04, 2018; 9:29:00 AM -0400 |
V4.0:(not available) V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |