7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
8.7 High
AI Score
Confidence
High
0.675 Medium
EPSS
Percentile
98.0%
Multiple serious vulnerabilities have been found in WordPress plugins and themes. Malicious users can exploit these vulnerabilities to execute or inject arbitrary code, bypass security and read local files.
Below is a complete list of vulnerabilities
Multiple XSS vulnerabilities were found in Spider Facebook, Contact Form DB, WooCommerce, WP Media Cleaner, Ninja Forms, WonderPlugin Audio Player, WPML and Google Doc Embedder plugins. By exploiting these vulnerabilities malicious users can inject arbitrary script. These vulnerabilities can be exploited remotely via a unknown vectors related to admin panel;
Multiple CSRF vulnerabilities were found in Mobile Domain, Image Metadata Cruncher, Acobot Live Chat & Contact Form, CrossSlide jQuery, Easy Social Icons and Redirection page plugins. By exploiting these vulnerabilities malicious users can hijack administrators auth. These vulnerabilities can be exploited remotely via an unknown vectors related to admin panel;
Directory traversal vulnerability was found in Elegant Themes Divi theme. By exploiting this vulnerability malicious users can read local files. This vulnerability can be exploited remotely via a specially designed img parameter;
SQL injection vulnerability was found in Apptha WordPress Video Gallery, WonderPlugin Audio Player, Spider Event Calendar, WPML and WordPress Survey and Poll plugins and Photocrati theme. By exploiting this vulnerability malicious users can execute arbitrary SQL commands. This vulnerability can be exploited remotely via a vectors related to admin panel.
Unrestricted file upload was found in Fusion theme. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via an unspecified vectors.
Public exploits exist for this vulnerability.
WordPress-unclassified-products
CVE-2015-2218 warning
CVE-2015-2220 warning
CVE-2015-2199 high
CVE-2015-2196 critical
CVE-2015-2195 warning
CVE-2015-2194 high
CVE-2015-2314 critical
CVE-2015-2315 warning
CVE-2015-2069 warning
CVE-2015-1579 critical
CVE-2015-1580 high
CVE-2015-2039 high
CVE-2015-2040 warning
CVE-2015-2216 critical
CVE-2015-2089 high
CVE-2015-2090 critical
CVE-2015-2084 high
CVE-2015-1582 warning
CVE-2015-1581 high
CVE-2015-1614 high
CVE-2015-2791 high
CVE-2015-2065 critical
CVE-2015-2792 critical
CVE-2015-1879 warning
Update to safe version or select another plugin or theme to use
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
Code injection. Exploitation of vulnerabilities with this impact can lead to changes in target code.
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
Read Local Files. Exploitation of vulnerabilities with this impact can lead to reading some inaccessible files. Files that can be read depends on conсrete program errors.