140 matches found
CVE-2016-6897
Cross-site request forgery CSRF vulnerability in the wpajaxupdateplugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the checkajaxreferer...
WordPress Royal Gallery Plugin - Arbitrary File Upload
This plugin is prone to an arbitrary file upload vulnerability. Solution Update plugin...
WordPress Power Zoomer Plugin - Arbitrary File Upload
This plugin is prone to an arbitrary file upload vulnerability. Solution Update plugin...
WordPress Power Play Gallery Plugin - Arbitrary File Upload
This plugin is prone to an arbitrary file upload vulnerability. Solution Update plugin...
WordPress Pondol Form to Mail Plugin <= 1.1 - Cross Site Scripting (XSS)
Because of this vulnerability, the variable itemid appears to send unsanitized data back to the users browser. Vulnerable file is pondol-formmail/pages/admin-mail-info.php. Solution Update the plugin...
WordPress Memphis Document Library Plugin 3.1.5 - Arbitrary File Download
Memphis Document Library plugin is prone to an arbitrary file download vulnerability. It allows an attacker to download arbitrary files from the web server and get potentially sensitive information. Solution Update the plugin...
WordPress Sender 0.7 Cross Site Scripting
Plugin Name : Sender Effected Version : 0.7 and most probably lower version's if any Vulnerability : A3-Cross-Site Scripting XSS Identified by : Madhu Akula Technical Details Minimum Level of Access Required : Administrator PoC - Proof of Concept : The following fields put the payload as below...
WordPress My Link Order Plugin <= 4.3 - Cross Site Scripting (XSS)
Because of this XSS vulnerability, authenticated users can inject HTML or JS code. Vulnerable parameters are "cats" and "hdnCatID". Solution Update the plugin...
WordPress Google Analyticator <= 6.4.9.5 - Multiple XSS
These vulnerabilities allow an attacker to inject arbitrary web script or HTML via the 1. gadownloadsprefix 2. gadownloads 3. gaadsense 4. gaadmindisableDimentionIndex 5. gaoutboundprefix parameter in the google-analyticator page to wp-admin/admin.php. Solution Update the plugin...
WordPress <= 4.2.3 - CSRF
This vulnerability is in wp-admin/post.php. It allows an attacker to hijack the authentication of administrators for requests which lock a post. And then an attacker consequently cause a denial of service via a get-post-lock action. Solution Update the plugin...
WordPress TinyMCE Plugin <= 3.5 - Cross Site Scripting
Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update plugin...
WordPress External Video For Everybody Plugin <= 2.0 - XSS
Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update plugin...
WordPress S3 Video Plugin <= 0.97 - Cross Site Scripting
Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update plugin...
WordPress Wordfence Plugin <= 3.8.6 - Stored XSS
This plugin is prone to lib/IPTraf.php User-Agent header stored cross site scripting vulnerability. Solution Update plugin...
WordPress Floating Social Media Links Plugin <= 1.4.2 - Remote File Inclusion
This plugin is prone to fsml-admin.js.php wpp parameter remote file inclusion vulnerability. It allows attackers to obtain sensitive information. Solution Update plugin...
WordPress Subscribe2 Plugin <= 8.0 - Cross Site Scripting
Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update plugin...
WordPress Work The Flow Plugin - Upload Vulnerability
This vulnerability allows an attacker to upload arbitrary PHP code and execute it. Solution Update the plugin...
WordPress Welcart Plugin <= 1.4.17 - Multiple XSS
These vulnerabilities allow the attackers to inject arbitrary web script or HTML via the "uscesreferer" parameter to: includes/edit-form-advanced.php, includes/edit-form-advanced34.php, classes/usceshop.class.php, includes/membereditform.php, includes/orderlist.php, includes/ordereditform.php,...
WordPress Page Builder Plugin <= 2.0.3 - Reflected XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress Shareaholic Plugin <= 7.6.0 - XSS
This vulnerability is in admin.php. It allows authenticated users to inject arbitrary web script or HTML via the "locationid" parameter that is in a shareaholicaddlocation action to wp-admin/admin-ajax.php. Solution Update the plugin...