46662 matches found
WordPress Patreon WordPress plugin <= 1.7.1 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Jetpack Scan team in WordPress Patreon WordPress plugin versions = 1.7.1. Solution Update the WordPress Patreon WordPress plugin to the latest available version at least 1.7.2...
WordPress Import XML and RSS Feeds plugin <= 2.0.1 - Server-Side Request Forgery (SSRF) vulnerability
Server-Side Request Forgery SSRF vulnerability discovered by Suzhou Aurora Infinity Information Technology Co., Ltd. in WordPress Import XML and RSS Feeds plugin versions = 2.0.1. Solution Update the WordPress Import XML and RSS Feeds plugin to the latest available version at least 2.0.2...
WordPress 15zine premium theme <= 3.2.2 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Fariq Fadillah Gusti Insani in WordPress 15zine premium theme versions = 3.2.2. Solution Update the WordPress 15zine premium theme to the latest available version at least 3.3.0...
WordPress Accordion plugin <= 2.2.8 - Unprotected AJAX Action leading to Stored/Reflected Cross-Site Scripting (XSS) vulnerability
Unprotected AJAX Action leading to Stored/Reflected Cross-Site Scripting XSS vulnerability discovered by WordFence in WordPress Accordion plugin versions = 2.2.8. Solution Update the WordPress Accordion plugin to the latest available version at least 2.2.9...
WordPress LearnPress plugin <= 3.2.6.6 - Privilege Escalation vulnerability
Privilege Escalation vulnerability discovered in WordPress LearnPress plugin versions = 3.2.6.6. Solution Update the WordPress LearnPress plugin to the latest available version at least 3.2.6.7...
WordPress Adaptive Images for WordPress plugin <= 0.6.66 - Local File Inclusion (LFI) vulnerability
Local File Inclusion LFI vulnerability found by Mark Gruffer in WordPress Adaptive Images for WordPress plugin versions = 0.6.66. Solution Update the WordPress Adaptive Images for WordPress plugin to the latest available version at least 0.6.67...
WordPress ConvertPlus plugin <= 3.4.2 - Unauthenticated Arbitrary User Role Creation vulnerability
Unauthenticated Arbitrary User Role Creation vulnerability found by WordFence in WordPress ConvertPlus plugin versions = 3.4.2. Solution Update the WordPress ConvertPlus plugin to the latest available version at least 3.4.3...
WordPress Virim plugin <= 0.4 - Unauthenticated Object Injection vulnerability
Unauthenticated Object Injection vulnerability found by Magnus K. Stubman in WordPress Virim plugin versions = 0.4. Solution 27 May 2019 - This plugin was closed and is no longer available for download...
WordPress WP Fastest Cache plugin <= 0.8.9.0 - Unauthenticated Arbitrary File Deletion vulnerability
Unauthenticated Arbitrary File Deletion vulnerability found by Sebastian Neef in WordPress WP Fastest Cache plugin versions = 0.8.9.0. Solution Update the WordPress WP Fastest Cache plugin to the latest available version at least 0.8.9.1...
WordPress Booking Calendar plugin <= 8.4.5.14 - SQL Injection (SQLi) vulnerability
SQL Injection SQLi vulnerability discovered by B0UG in WordPress Booking Calendar plugin versions = 8.4.5.14. Solution Update the WordPress Booking Calendar plugin to the latest available version at least 8.4.5.15...
WordPress Category Order and Taxonomy Terms Order plugin <=1.5.2.2 - Authenticated PHP Object Injection vulnerability
Authenticated PHP Object Injection vulnerability found in WordPress Category Order and Taxonomy Terms Order plugin versions =1.5.2.2. Solution Update the WordPress Category Order and Taxonomy Terms Order plugin to the latest available version at least 1.5.3...
WordPress GD Rating System plugin 2.3 - Cross-Site Scripting (XSS) vulnerability (4)
A fourth Cross-Site Scripting XSS vulnerability found by d4wner in WordPress GD Rating System plugin version 2.3. XSS via the wp-admin/admin.php panel parameter for the gd-rating-system-tools page. Solution 1/9/2018 - we were unable to find a patched version of this plugin...
WordPress Z-URL Preview plugin <= 1.6.2 - Cross-Site Scripting (XSS) vulnerability
A Cross-Site Scripting XSS vulnerability found by Neorichi in WordPress Z-URL Preview plugin versions = 1.6.2. Vulnerable to Cross-Site Scripting via the class.zlinkpreview.php url parameter. Solution Update the WordPress Z-URL Preview plugin to the latest available version at least 2.0.0...
WordPress <=4.7.4 - Post Meta Data Values Improper Handling in XML-RPC API
WordPress versions starting from 2.5 to 4.7.4 have the improper handling of post meta data values in the XML-RPC Remote Procedure Call API. Discovered and reported by Sam Thomas. Solution Update WordPress core to the latest possible version at least 4.7.5...
WordPress Collne Welcart e-Commerce Plugin <= 1.8.2 - XSS
This vulnerability allows an attacker to inject arbitrary web script or HTML via unspecified vectors. Solution Update the plugin...
WordPress E-Search Plugin <= 1.0 - Cross-Site Scripting (XSS)
Because of this vulnerability, the variable date-from appears to send unsanitized data back to the users browser. Solution Update the plugin...
WordPress Font Plugin <= 7.5.0 - Absolute Path Traversal
This vulnerability allows the administrators to read arbitrary files via a full pathname in the "URL" parameter to AjaxProxy.php. Solution Update the plugin...
WordPress Pie Register Plugin <= 2.0.18 - XSS
This vulnerability allows an attacker to inject arbitrary web script or HTML via the invitaioncode parameter in a pie-register page to the default URL. Solution Update the plugin...
WordPress <= 4.3.0 - BYPASS
The vulnerability is in the XMLRPC subsystem, in wp-includes/class-wp-xmlrpc-server.php. It allows an authenticated user to bypass intended access restrictions via unspecified vectors. Solution Update WordPress...
WordPress IBS Mappro Plugin <= 0.9 - Absolute Path Traversal
This vulnerability is in lib/download.php. It allows an attacker to read arbitrary files via a full pathname in the "file" parameter. Solution Update the plugin...
WordPress RobotCPA Plugin - Local File Inclusion
BookX plugin's get parameter "l" is prone to a local file include vulnerability because of failure of validation user-supplied input. It allows an attacker to get potentially sensitive information. The affected file is "f.php". Solution Update the plugin...
WordPress ZM Ajax Login & Register Plugin 1.0.9 - Local File Inclusion
Because of this vulnerability attacker can include a local file specified in "template" post parameter by exploiting the wpajaxnoprivloadtemplate action and without any validation. Solution Update the plugin...
WordPress ClickBank Affiliate Ads plugin <= 1.20 - Stored Cross-Site Scripting (XSS) vulnerability
Stored Cross-Site Scripting XSS vulnerability discovered by Kaustubh G. Padwad in WordPress ClickBank Affiliate Ads plugin versions = 1.20. Solution Update the WordPress ClickBank Affiliate Ads plugin to the latest available version at least 1.35...
WordPress <= 4.1.1 - XSS
Because of this vulnerability, an attacker can execute same-origin JavaScript functions via the "target" parameter, as demonstrated by executing a certain click function, related to init.as and fireEvent.as. Solution Update WordPress...
WordPress Simple Ads Manager Plugin <= 2.7.96 - Multiple SQL Injection
Because of these vulnerabilities, the attackers can execute arbitrary SQL commands via the "cstr" parameter in a loadposts action to sam-ajax-admin.php, "hits" parameter in a samhits action to sam-ajax.php, the "searchTerm" parameter in a loadcombodata action to sam-ajax-admin.php or the "editor"...
WordPress WPML Plugin <= 3.1.8 - SQL Injection #2
Because of this vulnerability, the attackers can execute arbitrary SQL commands via the "lang" parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed. Related records:...
WordPress Image Metadata Cruncher Plugin - Multiple CSRF and XSS
Because of these vulnerabilities, the attackers can hijack the authentication of administrators for requests that conduct cross-site scripting XSS attacks via the "imagemetadatacruncheralt" or "imagemetadatacrunchercaption" parameters. Solution Upgrade the plugin...
WordPress Apptha Video Gallery Plugin <= 2.5 - Multiple XSS
These vulnerabilities allow authenticated users to inject arbitrary web script or HTML via the "videoadssearchQuery" parameter. Solution Update the plugin...
WordPress Apptha Video Gallery Plugin <= 2.5 - Multiple SQL Injection
Because of these vulnerabilities, the attackers can execute arbitrary SQL commands via the "videoId" parameter in a newvideo page to wp-admin/admin.php, "vid" parameter in a myextract action to wp-admin/admin-ajax.php or "playlistId" parameter in the newplaylist page. Solution Update the plugin...
WordPress <= 4.0.0 - Multiple Vulnerabilities #1
There are multiple vulnerabilities in WordPress wp-login.php, such as cross site scripting, denial of service attacks, hash comparison, SSRF, CSRF. Because of these vulnerabilities, attackers can reset passwords by leveraging access to an e-mail account that received a password-reset message...
WordPress <= 4.0.0 - CSRF
Because of this vulnerability in wp-login.php, the attackers can hijack the authentication of arbitrary users for requests that reset passwords. Solution Update WordPress...
WordPress BulletProof Security Plugin <= .51 - SQL Injection
This vulnerability is in admin/htaccess/bpsunlock.php. It allows remote authenticated users to execute arbitrary SQL commands via the "tableprefix" parameter. Solution Update the plugin...
WordPress WooCommerce plugin <= 2.2.2 - Cross-Site Scripting (XSS) vulnerability
Cross-Site Scripting XSS vulnerability discovered by Tom Adams in WordPress WooCommerce plugin versions = 2.2.2. Solution Update the WordPress WooCommerce plugin to the latest available version at least 2.2.3...
WordPress EWWW Image Optimizer Plugin <= 2.0.1 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "error" parameter in the ewww-image-optimizer.php page to wp-admin/options-general.php. Solution Update the plugin...
WordPress <=3.9.1 - Multiple Vulnerabilities #1
wp-includes/pluggable.php does not use delimiters during concatenation of action values and uid values in CSRF tokens, that allows the attackers to bypass a CSRF protection mechanism via a brute-force attack. Related records:...
WordPress Yahoo! Updates Plugin <= 1.0 - Multiple XSS
Because of these multiple vulnerabilities in yupdatesapplication.php, the attackers can inject arbitrary web script or HTML via the 3 parameters: "secret", appid" or "key". Solution Update the plugin...
WordPress AdRotate Plugin 3.9.4 - SQL Injection
This WordPress AdRotate plugin's clicktracker.php "track param" parameter is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin to 3.9.5...
WordPress VideoWhisper Live Streaming Integration Plugin <= 4.29.4 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress <= 3.0.5
Because of this vulnerability, remote authenticated users can perform publish actions by leveraging the Contributor role. Solution Update WordPress...
WordPress Advanced Dewplayer Plugin - Script Directory Traversal
Advanced Dewplayer plugin is prone to a directory traversal vulnerability because of failure of cleaning up user-supplied input. An attacker can obtain sensitive information that could aid in further attacks. Solution Upgrade the plugin...
WordPress <= 3.6.0 - Cross Site Scripting #2
Because of this vulnerability, remote authenticated users can conduct cross-site scripting attacks via a crafted file, that is related to the getallowedmimetypes function in wp-includes/functions.php. Solution Update WordPress...
WordPress BackWPup Plugin <= 3.0.12 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "tab" parameter to wp-admin/admin.php. Solution Update the plugin...
WordPress ShareThis Plugin <= 7.0.5 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of administrators for requests that modify this plugin's settings. Solution Update the plugin...
WordPress <= 3.5.1 - Denial of Service Attacks
This WordPress version is prone to denial of service attacks via a crafted value of a certain wp-postpass cookie. Solution Update WordPress...
WordPress Welcart Plugin <= 1.2.1 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of arbitrary users for requests that complete a purchase. Solution Update the plugin...
WordPress Quick Post Widget Plugin <= 1.9.1 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress <= 3.4.0 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of unspecified victims via unknown vectors. Solution Update WordPress...
WordPress <= 3.3.1 - BYPASS
This vulnerability allows the authenticated site administrators to bypass intended access restrictions via unspecified vectors. Solution Update WordPress...
WordPress ClickDesk Live Support Plugin 2.0 - Cross Site Scripting
WordPressClickDesk Live Support plugin's "cdwidget" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker...
WordPress Elegant Grunge Theme 1.0.3 - Cross Site Scripting
WordPress Elegant Grunge theme's "s" parameter is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal...