WordPress WP RSS Multi Importer Plugin <= 3.15 - Multiple Vulnerabilities

This plugin is prone to an SQL injection and cross site scripting vulnerabilities. Because of them, remote authenticated users can execute arbitrary SQL commands and inject HTML and JavaScript. Solution Upgrade this plugin...

WordPress CKEditor Plugin <= 4.0 - Arbitrary File Upload

This plugin is prone to an arbitrary file upload exploit vunerability. Solution There is no fix...

WordPress Appointment Booking Calendar Plugin <= 1.1.7 - Multiple XSS

These vulnerabilities allow an attacker to inject an arbitrary web script or HTML via unspecified vectors. Solution Update the plugin...

WordPress Count Per Day Plugin 3.4 - SQL Injection

This WordPress Count Per Day plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...

WordPress Aviary Image Editor Add On For Gravity Forms Plugin - Beta Shell Upload

The remote file upload vulnerability is in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php. Because of this vulnerability anyone can upload any file to the system. Solution Upgrade the plugin...

WordPress NewStatPress Plugin 0.9.8 - Multiple Vulnerabilities

NewStatPress plugin is prone to multiple vulnerabilities, such as authenticated SQL injection and authenticated XSS. Solution Update the plugin...

WordPress Landing Pages Plugin <= 1.8.4 - SQL Injection

Thisvulnerability allows an authenticated user to execute arbitrary SQL commands in an edit delete-variation action via the "post" parameter to wp-admin/post.php. Solution Upgrade the plugin...

WordPress WP Cumulus Plugin <= 1.22 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

WordPress Photocrati Theme 4.x.x - SQL Injection and XSS

Because of SQL injection and XSS vulnerabilities, an attacker can execute a remote injection in URL site and get an important information. Solution Upgrade the theme...

WordPress Spider Facebook Plugin <= 1.0.10 - Multiple XSS

Because of these vulnerabilities, some parameters are shown unsanitized. Solution Upgrade the plugin...

WordPress WPLMS Learning Management System Theme <= 1.8.4.1 - Privilege Escalation

Because of this vulnerability, the attackers can have an administrator account on the target's website. Solution Update the theme...

WordPress April's Super Functions Pack Plugin <= 1.4.7 - XSS

Because of this vulnerability in readme.php, the attackers to inject arbitrary web script or HTML via the "page" parameter. Solution Update the plugin...

WordPress mTouch Quiz Plugin <= 3.0.6 - SQL Injection

Because of this vulnerability in question.php, the attackers can execute arbitrary SQL commands via the "quiz" parameter to wp-admin/edit.php. Solution Update the plugin...

WordPress All in One SEO Pack Plugin <= 2.2.5 - Information Management

All in One SEO Pack plugin is prone to an information management vulnerability. The attackers can obtain sensitive information by reading HTML source code, because this plugin does not consider the presence of password protection during generation of the Meta Description field. Solution Update th...

WordPress Google Captcha Plugin <= 1.12 - BYPASS

Because of this vulnerability, attackers can bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. Solution Update the plugin...

WordPress Our Team Showcase Plugin <= 1.2 - Multiple CSRF and XSS

Because of these cross-site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way, they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution Update the plugin...

WordPress Sliding Social Icons Plugin <= 1.61 - Multiple CSRF and XSS

Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution No fix available, because the plugin has...

WordPress Relevanssi Plugin <= 3.3.7 - XSS

This vulnerability allows the attackers to inject arbitrary web script or HTML via unspecified vectors. Solution Update the plugin...

WordPress Wp Unique Article Header Image Plugin <= 1.0 - Multiple CSRF and XSS

Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution There is no solution, because plugin is...

WordPress Simple Life Plugin <=1.2 - Multiple CSRF and XSS

Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution This plugin is closed...

WordPress jRSS Widget Plugin <= 1.2 - SSRF

This vulnerability is in the proxy.php. It allows the attackers to trigger outbound requests and enumerate open ports via the "URL" parameter. Solution Update the plugin...

WordPress Google Analytics Plugin <= 5.1.2 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "Manually enter your UA code" field in the General Settings. Solution Update the plugin...

WordPress Nextend Facebook Connect Plugin 1.4.59 - XSS

Because of a cross-site scripting vulnerability in Nextend Facebook Connect plugin, anyone can change plugin settings. Solution Update the plugin to version 1.5.1...

WordPress Spreadsheet Plugin <= 0.62- SQL Injection

This Spreadsheet plugin is prone to an SQL injection vulnerability, that allows the attackers to execute arbitrary SQL commands via the "ssid" parameter. Solution Update the plugin...

WordPress InfusionSoft Plugin - Upload Vulnerability

InfusionSoft plugin is prone to vulnerability that allows for arbitrary file upload and remote code execution. Solution Update the plugin...

WordPress Advanced Access Manager Plugin <= 2.8.2 - Admin User File Read/Write

Because of this vulnerability, attackers can write arbitrary content to arbitrary files. Solution Update the plugin...

WordPress WP Support Plus Responsive Ticket System Plugin 2.0 - Multiple Vulnerabilities

There are 4 multiple vulnerabilities in this plugin. 1. SQL injection. 2. Full path disclosure. With this vulnerability full path to the file will be shown to the user after the file has been uploaded. 3. Directory traversal that allows download any file from the server. 4. Broken authentication...

WordPress Epic Theme - Arbitrary File Download

Epic theme's "download.php" is prone to an arbitrary file download vulnerability. It allows an attacker to download arbitrary files from the web server and get potentially sensitive information. Solution Update the theme...

WordPress ShortCode Plugin 0.2.3 - Local File Inclusion

This vulnerability can be exploited to include arbitrary files. Solution Upgrade the plugin...

WordPress <= 3.9.1 - XSS

This vulnerability is in the wp-includes/pluggable.php. It allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. Solution Update WordPress...

WordPress <=3.9.1 - Multiple Vulnerabilities #2

wp-includes/pluggable.php rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, that allows the attackers to bypass a CSRF protection mechanism via a brute-force attack. Related records:...

WordPress Lead Octopus Power Plugin - SQL Injection

This WordPress Lead Octopus Power plugin's "id" parameter is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...

WordPress DZS Video Gallery Plugin - Cross Site Scripting and Command Injection Vulnerabilities

Because of these vulnerabilities in DZS Video Gallery plugin, an attacker can execute arbitrary script code in the browser and execute arbitrary OS commands. In that way an attacker can steal cookie-based authentication credentials and launch other attacks. Solution Upgrade the plugin...

WordPress Simple Share Buttons Adder Plugin 4.4 - Multiple Vulnerabilities

Simple Share Buttons Adder plugin is prone to multiple vulnerabilities CSRF and XSS that allow an attacker to convince an admin to visit a link of their choosing. Solution Update to version 4.5...

WordPress Rezgo Online Booking Plugin <= 1.8.1 - Multiple XSS

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress Efence Plugin <= 1.3.2 - Multiple XSS

Because of these vulnerabilities in callback.php, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress Picasa Image Plugin <=1.0 - XSS

Because of this vulnerability in picasaupload.php, the attackers can inject arbitrary web script or HTML via the "postid" parameter. Solution Update the plugin...

WordPress HTML5 Video Player with Playlist Plugin <= 2.4.0 - Multiple XSS

Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress Contact Form Plugin <= 2.3 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "width" parameter. Solution Update the plugin...

WordPress Easy Post Types Plugin <= 1.4.3 - XSS

Because of this vulnerability in classes/custom-image/media.php, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...

WordPress BookX Plugin - Local File Include

BookX plugin's "includes/bookxexport.php" is prone to a local file include vulnerability because of failure of validation user-supplied input. It allows an attacker to get potentially sensitive information. Solution Update the plugin...

WordPress Booking System Plugin - SQL Injection

This WordPress Booking Calendar plugin's "bookingformid" parameter is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...

WordPress BuddyPress Plugin <= 1.9.1 - XSS

Because of this vulnerability, authenticated users can inject arbitrary web script or HTML via the name field to groups/create/step/group-details. Solution Update the plugin...

WordPress OptimizePress Theme <= 1.60 - File Upload Vulnerability

Multiple unrestricted file upload vulnerabilities, the attackers can execute arbitrary code by uploading a file with an executable extension, then accessing it. Solution Update the theme...

WordPress <= 3.8.1 - Multiple vulnerabilities

The wpvalidateauthcookie function in wp-includes/pluggable.php does not properly determine the validity of authentication cookies. In that way the attackers can obtain access via a forged cookie. Solution Update the plugin...

WordPress Jetpack Plugin <= 2.9.2 - Security BYPASS

This plugin does not properly restrict access to the XML-RPC service. In that way the attackers can bypass intended restrictions and publish posts via unspecified vectors. Solution Update the plugin...

WordPress Kernel Theme - Remote File Upload

WordPress Kernel theme is prone to a remote file upload vulnerability. Affected file is "upload-handler.php". Solution Upgrade the theme...

WordPress One Webmaster Plugin <= 8.2.3 - CSRF

Because of this vulnerability, the attackers can hijack the authentication of arbitrary users for requests that insert cross site scripting sequences. Solution Update the plugin...

WordPress WP Table Reloaded Plugin - Cross Site Scripting

WP Table Reloaded plugin is prone to a cross-site scripting vulnerability. It fails to properly clean up user-supplied input. An attacker may execute arbitrary script code in the browser of an user in the context of the affected site. In this way the attacker can steal cookie-based authentication...

WordPress Ripe HD FLV Player Plugin - SQL Injection

WordPress Ripe HD FLV Player plugin is prone to an SQL injection vulnerability. It allows an attacker to get access to the database, get username, password and disclosure the full path. Solution Update the plugin...