CVE-2015-5481

The CVE-2015-5481 entry documents a Cross-site scripting (XSS) vulnerability in the GD bbPress Attachments WordPress plugin. Affects versions prior to 2.3, vulnerable code resides in forms/panels.php where the tab parameter of gdbbpress_attachments (on wp-admin/edit.php) is not properly filtered,...

CVE-2015-4140

Cross-site request forgery CSRF vulnerability in the WP Smiley plugin 1.4.1 for WordPress allows remote attackers to hijack the authentication of editors for requests that conduct cross-site scripting XSS attacks via the s4w-more parameter to the smilies4wp.php page to wp-admin/options-general.ph...

CVE-2015-4140

CVE-2015-4140 : In the WP Smiley plugin for WordPress (version 1.4.1), a CSRF vulnerability allows remote attackers to hijack the authentication of editors and carry out cross-site scripting (XSS) via the s4w-more parameter to smilies4wp.php, targeting wp-admin/options-general.php. The issue stem...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting XSS attacks via the iframeurl parameter in an Update Page action in the...

CVE-2015-4010

CVE-2015-4010 concerns the WordPress plugin “Encrypted Contact Form”. The vulnerability is a CSRF that also enables reflected XSS via unsanitized iframe_url data in the Update Page operation of the conformconf page, affecting admin actions in wp-admin/options-general.php. Affected versions are 1....

CVE-2015-4064

SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the post parameter in an edit delete-variation action to wp-admin/post.php...

Sql injection

SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the post parameter in an edit delete-variation action to wp-admin/post.php...

CVE-2015-4064

SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the post parameter in an edit delete-variation action to wp-admin/post.php...

CVE-2015-4065

Summary (CVE-2015-4065) : The WordPress Landing Pages plugin (versions before 1.8.5) contains an XSS vulnerability in shared/shortcodes/inbound-shortcodes.php. An authenticated remote user can inject arbitrary script/HTML via the post parameter passed to wp-admin/post-new.php, caused by echoing u...

WordPress Landing Pages Plugin <= 1.8.4 - XSS

Cross-site scripting XSS vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/post-new.php. Solution Upgrade the plugin...

WordPress LeagueManager Plugin <= 3.7 - Cross Site Scripting

This plugin is prone to a wp-admin/admin.php multiple parameter cross site scripting vulnerability. Solution Update the plugin...

WordPress Rockhoist Ratings Plugin <= 1.2.2 - SQL Injection

This plugin is prone to an SQL injection vulnerability in wp-admin/admin-ajax.php postID parameter. Solution Update the plugin...

WordPress WP Photo Album Plus Plugin <= 5.0.10 - XSS

This plugin is prone to wp-admin/admin.php editid parameter cross site scripting vulnerability. Solution Update the plugin...

Wordpress WP Marketplace 2.4.0 - Remote Code Execution (Add WP Admin) Vulnerability

WordPress Marketplace plugin version 2.4.0 add administrator exploit that leverages a vulnerability that allows an attacker to execute any php function unauthenticated. !/usr/bin/python Exploit Name: WP Marketplace 2.4.0 Remote Command Execution Vulnerability discovered by Kacper Szurek...

CVE-2015-2220

Multiple cross-site scripting XSS vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow 1 remote attackers to inject arbitrary web script or HTML via the ninjaformsfield1 parameter in a ninjaformsajaxsubmit action to wp-admin/admin-ajax.php or 2 remote administrators to injec...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in the CrossSlide jQuery crossslide-jquery-plugin-for-wordpress plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 change plugin settings or conduct cross-site scripting XSS...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in the Easy Social Icons plugin before 1.2.3 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting XSS attacks via the imagefile parameter in an edit action in the...

Cross site scripting

Cross-site scripting XSS vulnerability in the Google Doc Embedder plugin before 2.5.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the profile parameter in an edit action in the gde-settings page to wp-admin/options-general.php...

PT-2015-5366

Name of the Vulnerable Software and Affected Versions Elegant Themes Divi theme for WordPress affected versions not specified Description A directory traversal issue exists in the Elegant Themes Divi theme for WordPress, allowing remote attackers to read arbitrary files. This is achieved by...

CVE-2015-1384

Cross-site scripting XSS vulnerability in the Banner Effect Header plugin before 1.2.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the bannereffectdivid parameter in the BannerEffectOptions page to wp-admin/options-general.php...