CVE-2014-9441

Multiple cross-site request forgery CSRF vulnerabilities in the Lightbox Photo Gallery plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 change plugin settings via unspecified vectors or conduct cross-site scripting XSS attacks via...

CVE-2014-9441

The CVE-2014-9441 entry concerns the WordPress Lightbox Photo Gallery 1.0 plugin, which is vulnerable to multiple CSRF (and associated XSS) flaws. According to the sources, remote attackers can hijack administrator authentication to perform actions such as changing plugin settings via unspecified...

CVE-2014-9305

SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcodeproductstable action to wp-admin/admin-ajax.php...

WordPress Shareaholic Plugin <= 7.6.0 - XSS

This vulnerability is in admin.php. It allows authenticated users to inject arbitrary web script or HTML via the "locationid" parameter that is in a shareaholicaddlocation action to wp-admin/admin-ajax.php. Solution Update the plugin...

CVE-2014-9175

SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the tableid parameter in a getwdtable action to wp-admin/admin-ajax.php...

Sql injection

Multiple SQL injection vulnerabilities in the Apptha WordPress Video Gallery contus-video-gallery plugin 2.5, possibly as distributed before 2014-07-23, for WordPress allow 1 remote attackers to execute arbitrary SQL commands via the vid parameter in a myextract action to wp-admin/admin-ajax.php ...

All-in-One WP Migration 2.0.2 Remote Code Execution Vulnerability

Exploit for php platform in category web applications In Ai1wmImportController::import admin priveleges ARE NOT checked. Function is imported as action: addaction‘wpajaximport’, ‘Ai1wmImportController::import’ in class-ai1wm-main-controller.php It’s possible to use it through...

WordPress Plugin wpDataTables 1.5.3 - SQL Injection

Exploit Title : Wordpress wpDataTables 1.5.3 and below SQL Injection Vulnerability Exploit Author : Claudio Viviani Software Link : http://wpdatatables.com Premium Date : 2014-11-22 Tested on : Windows 7 / Mozilla Firefox Windows 7 / sqlmap 0.8-1 Linux / Mozilla Firefox Linux / sqlmap...

Wordpress wpDataTables 1.5.3 SQL Injection Vulnerability

Exploit for php platform in category web applications Exploit Title : Wordpress wpDataTables 1.5.3 and below SQL Injection Vulnerability Exploit Author : Claudio Viviani Software Link : http://wpdatatables.com Premium Date : 2014-11-22 Tested on : Windows 7 / Mozilla Firefox Windows 7 / sqlmap...

WordPress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal

WordPress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal Exploit Title: Paid Memberships Pro 1.7.14.2 Path Traversal Date: 14-10-2014 Exploit Author: Kacper Szurek - http://security.szurek.pl Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.1.7.14.2.zip...

WordPress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal

Exploit Title: Paid Memberships Pro 1.7.14.2 Path Traversal Date: 14-10-2014 Exploit Author: Kacper Szurek - http://security.szurek.pl Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.1.7.14.2.zip Category: webapps CVE: CVE-2014-8801 1. Description getfile.php is...

Sql injection

SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selectedgroup parameter in a gbajaxgetgroup action to wp-admin/admin-ajax.php...

CVE-2014-8375

GB Gallery Slideshow WordPress plugin 1.5 contains a SQL injection vulnerability in GBgallery.php. The issue is exploitable via the selected_group parameter in the gb_ajax_get_group action called through wp-admin/admin-ajax.php, allowing remote attackers (with appropriate privileges) to execute a...

Cross site scripting

Cross-site scripting XSS vulnerability in the Google Calendar Events plugin before 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gcefeedids parameter in a gceajax action to wp-admin/admin-ajax.php...

CVE-2014-7138

Cross-site scripting XSS vulnerability in the Google Calendar Events plugin before 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gcefeedids parameter in a gceajax action to wp-admin/admin-ajax.php...

CVE-2014-6315

Multiple cross-site scripting XSS vulnerabilities in the Web-Dorado Photo Gallery plugin 1.1.30 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 callback, 2 dir, or 3 extensions parameter in an addImages action to wp-admin/admin-ajax.php...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in the Web-Dorado Photo Gallery plugin 1.1.30 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 callback, 2 dir, or 3 extensions parameter in an addImages action to wp-admin/admin-ajax.php...

CVE-2014-6315

Multiple cross-site scripting XSS vulnerabilities in the Web-Dorado Photo Gallery plugin 1.1.30 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 callback, 2 dir, or 3 extensions parameter in an addImages action to wp-admin/admin-ajax.php...

CVE-2014-7152

Cross-site scripting XSS vulnerability in the Easy MailChimp Forms plugin 3.0 through 5.0.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the updateoptions action to wp-admin/admin-ajax.php...

Cross site scripting

Cross-site scripting XSS vulnerability in the Easy MailChimp Forms plugin 3.0 through 5.0.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the updateoptions action to wp-admin/admin-ajax.php...