Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): wordpress
  • Search Type: Search All
There are 3,078 matching records.
Displaying matches 121 through 140.
Vuln ID Summary CVSS Severity
CVE-2020-15364

The Nexos theme through 1.7 for WordPress allows top-map/?search_location= reflected XSS.

Published: June 28, 2020; 8:15:12 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-15363

The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.

Published: June 28, 2020; 8:15:12 AM -0400
V3.1: 9.8 CRITICAL
V2.0: 5.0 MEDIUM
CVE-2020-15038

The SeedProd coming-soon plugin before 5.1.1 for WordPress allows XSS.

Published: June 24, 2020; 4:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-13700

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.

Published: June 24, 2020; 11:15:11 AM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-13426

The Multi-Scheduler plugin 1.0.0 for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability in the forms it presents, allowing the possibility of deleting records (users) when an ID is known.

Published: June 22, 2020; 2:15:11 PM -0400
V3.1: 6.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-14962

Multiple XSS vulnerabilities in the Final Tiles Gallery plugin before 3.4.19 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Title (aka imageTitle) or Caption (aka description) field of an image to wp-admin/admin-ajax.php.

Published: June 21, 2020; 8:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-14959

Multiple XSS vulnerabilities in the Easy Testimonials plugin before 3.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the wp-admin/post.php Client Name, Position, Web Address, Other, Location Reviewed, Product Reviewed, Item Reviewed, or Rating parameter.

Published: June 21, 2020; 8:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-13640

A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.)

Published: June 18, 2020; 11:15:10 AM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2019-19112

The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw-td-value class of dashboard.php.

Published: June 15, 2020; 10:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-19111

The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases langid parameter.

Published: June 15, 2020; 10:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-19110

The wpForo plugin 1.6.5 for WordPress allows XSS via the wp-admin/admin.php?page=wpforo-phrases s parameter.

Published: June 15, 2020; 10:15:09 AM -0400
V3.1: 4.8 MEDIUM
V2.0: 3.5 LOW
CVE-2019-19109

The wpForo plugin 1.6.5 for WordPress allows wp-admin/admin.php?page=wpforo-usergroups CSRF.

Published: June 15, 2020; 10:15:09 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-4050

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Published: June 12, 2020; 12:15:10 PM -0400
V3.1: 3.1 LOW
V2.0: 6.0 MEDIUM
CVE-2020-4049

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Published: June 12, 2020; 12:15:10 PM -0400
V3.1: 2.4 LOW
V2.0: 3.5 LOW
CVE-2020-4048

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Published: June 12, 2020; 12:15:10 PM -0400
V3.1: 5.7 MEDIUM
V2.0: 4.9 MEDIUM
CVE-2020-4047

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Published: June 12, 2020; 12:15:10 PM -0400
V3.1: 6.8 MEDIUM
V2.0: 3.5 LOW
CVE-2020-4046

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Published: June 12, 2020; 12:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-14010

The Laborator Xenon theme 1.3 for WordPress allows Reflected XSS via the data/typeahead-generate.php q (aka name) parameter.

Published: June 10, 2020; 2:15:10 PM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-13892

The SportsPress plugin before 2.7.2 for WordPress allows XSS.

Published: June 09, 2020; 2:15:11 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-12800

The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unrestricted File Upload and remote code execution by setting supported_type to php% and uploading a .php% file.

Published: June 08, 2020; 1:15:10 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH