46606 matches found
WordPress Welcart Plugin <= 1.4.17 - Multiple XSS
These vulnerabilities allow the attackers to inject arbitrary web script or HTML via the "uscesreferer" parameter to: includes/edit-form-advanced.php, includes/edit-form-advanced34.php, classes/usceshop.class.php, includes/membereditform.php, includes/orderlist.php, includes/ordereditform.php,...
WordPress QAEngine Theme - Privilege Escalation
Because of this vulnerability, the attackers can have an administrator account on the target's website. Solution Update the theme...
WordPress WPML Plugin <= 3.1.8 - SQL Injection #1
Because of the "menu sync" function, remote attackers can delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. Related records:...
WordPress SEO by Yoast Plugin <= 1.7.3 - Multiple Vulnerabilities
Multiple cross-site request forgery vulnerabilities exist in admin/class-bulk-editor-list-table.php. Because of these vulnerabilities, the attackers can hijack the authentication of certain users for requests that conduct SQL injection attacks. Solution Update the plugin...
WordPress Redirection Page Plugin <= 1.2 - Multiple CSRF and XSS
This plugin is prone to multiple cross site request forgery and cross site scripting vulnerabilities. In that way an attacker can change plugin settings via the "source" or "redir" parameters. Solution Update the plugin...
WordPress WP EasyCart Plugin - Unrestricted File Upload
WP EasyCart plugin is prone to an unrestricted file upload vulnerability that exists because the /inc/amfphp/administration/banneruploaderscript.php does not properly clean up user-uploaded files. An attacker can do the script with the privileges of the web server by making a direct request to th...
WordPress JS Multi Hotel Plugin <= 2.2.1 - XSS
Because of this cross site scripting vulnerability in includes/deleteimg.php, the attackers can inject arbitrary web script or HTML via the "path" parameter. Solution Update the plugin...
WordPress Photocrati Theme - Cross Site Scripting
Because of this vulnerability in photocrati-gallery/ecomm-sizes.php, the attackers can inject arbitrary web script or HTML via the "prodid" parameter. Solution Update the theme...
WordPress mTouch Quiz Plugin <= 3.0.6 - Multiple XSS
Because of these vulnerabilities in question.php, the attackers can inject arbitrary web script or HTML via the "quiz" parameter to wp-admin/edit.php. Solution Update the plugin...
WordPress JS Multi Hotel Plugin <= 2.2.1 - Multiple Vulnerabilities
Because of these vulnerabilities, the attackers can obtain the installation path via a request to widget.php, functions.php, myCalendar.php, showimage.php, refreshDate.php, phpthumb/thumbplugins/gdreflection.inc.php or phpthumb/GdThumb.inc.php in includes/. Solution Update the plugin...
WordPress Unconfirmed Plugin <= 1.2.4 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "s" parameter. Solution Update the plugin...
WordPress Another WordPress Classifieds Plugin - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the query string to the default URI. Solution Update the plugin...
WordPress Sodahead Polls Plugin <= 2.0.3 - Multiple XSS
Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML. Solution Update the plugin...
WordPress PWG Random Plugin <= 1.11 - Multiple CSRG and XSS
Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution This plugin is closed...
WordPress wpCommentTwit Plugin <= 0.5 - Multiple CSRF and XSS
Because of these cross site request forgery vulnerabilities, the attackers can hijack the authentication of administrators for requests. In that way they can change plugin settings via unspecified vectors or conduct cross-site scripting attacks. Solution This plugin is closed...
WordPress Digital Zoom Studio Plugin - XSS
Multiple cross-site scripting XSS vulnerabilities are in deploy/designer/preview.php. Because of these vulnerabilities, the attackers can inject arbitrary web script or HTML via the "swfloc" or "designrand" parameter. Solution Update the plugin...
WordPress WPDataTables Plugin 1.5.3 - SQL Injection
This WordPress WPDataTables plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...
WordPress <= 4.0.0 - XSS #3
Because of this vulnerability in the "media-playlists" function, the attackers can inject arbitrary web script or HTML via unspecified vectors. Related records: http://db.threatpress.com/vulnerability/wordpress/wordpress-4-0-0-xss...
WordPress XCloner Plugin <= 3.1.1 - Multiple Vulnerabilities
There are multiple vulnerabilities in this plugin, such as arbitrary command execution, clear text MySQL password exposure through html text box under configuration panel, MySQL password exposed to process table, database backups exposed to local users due to open file permissions, authenticated...
WordPress Download Manager Plugin - Arbitrary File Download
Because of this vulnerability, the attackers can read arbitrary files in the "fname" parameter to views/filedownload.php or filedownload.php. Solution Update the plugin...
WordPress Enfold Theme <= 3.0.0 - Unspecified Vulnerability
Because of this vulnerability in the folder framework, this theme has unknown impact and attack vectors. Solution Update the theme...
WordPress Contact Form 7 Integrations Plugin <= 1.3.10 - Multiple XSS
Because of these vulnerabilities in includes/toAdmin.php, the attackers can inject arbitrary web script or HTML via the "uE" or "uC" parameter. Solution Update the plugin...
WordPress Content Audit Plugin <= 1.6.0 - SQL Injection
SQL injection vulnerability in content-audit-schedule.php in the Content Audit plugin before 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the "Audited content types" option in the content-audit page to wp-admin/options-general.php. Solution Update the plugin...
WordPress WP Content Source Control Plugin - Directory Traversal
This WP Content Source Control plugin is prone to a directory-traversal vulnerability via "download.php". It fails to clean up user-supplied input. Using this plugin allows an attacker to obtain an important information which could aid in further attacks. Solution Upgrade the plugin...
WordPress Postcard Theme - Remote Code Execution
There are a bug in this theme, that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. Solution Update the theme...
WordPress ZooEffect Plugin <= 1.08 - Reflected XSS
This plugin is prone to a HTTP referer reflected cross site scripting vulnerability. Solution Update the plugin...
WordPress Skeptical Theme - Remote Code Execution
There is a bug in this theme, that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. Solution Update the theme...
WordPress Gallery Objects Plugin 0.4 - SQL Injection
This WordPress Gallery Objects plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Update the plugin...
WordPress Custom Banners Plugin <= 1.2.2.2 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "custombannersregisteredname" parameter to wp-admin/options.php. Solution Update the plugin...
WordPress WP Consultant Plugin <= 1.0 - XSS
Because of this vulnerability in admin/adminshowdialogs.php, the attackers can inject arbitrary web script or HTML via the "dialogid" parameter. Solution Update the plugin...
WordPress Rezgo Plugin <= 1.4.2 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "response" parameter. Solution Update the plugin...
WordPress WP Social Invitations Plugin <= 1.4.4.2 - XSS
Because of this vulnerability in test.php, the attackers can inject arbitrary web script or HTML via the "xhrurl" parameter. Solution Update the plugin...
WordPress Social Login Plugin <= 2.0.3 - XSS
Because of this vulnerability in services/diagnostics.php, the attackers can inject arbitrary web script or HTML via the "xhrurl" parameter. Solution Update the plugin...
WordPress BIC Media Widget Plugin <= 1.0 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "param" parameter. Solution Update the plugin...
WordPress WebEngage Plugin <= 2.0.0 - XSS
Because of this vulnerability in resize.php, the attackers to inject arbitrary web script or HTML via the "height" parameter or renderer.php or callback.php. Solution Update the plugin...
WordPress Member Approval Plugin <= 131109 - CSRF
Cross-site request forgery CSRF vulnerability in the Member Approval plugin 131109 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings to their default and disable registration approval via a request to...
WordPress TinyMCE Color Picker Plugin <= 1.1 - Security Bypass
Because of this vulnerability, the attackers can modify plugin settings via unspecified vectors. Solution Update the plugin...
WordPress NextCellent Gallery Plugin <= 1.19.17 - XSS
Because of this vulnerability in admin/manage-images.php, authenticated users can inject arbitrary web script or HTML via the "Alt & Title Text" field. Solution Update the plugin...
WordPress Ajax Pagination Plugin 1.1 - Local File Inclusion
Ajax Pagination plugin is prone to a file inclusion vulnerability. It is exploitable by an unauthenticated user, who can include any local file ending in “.php” which is accessible to the web user. Solution Upgrade the plugin...
WordPress File Gallery Plugin <= 1.7.9.1 - Arbitrary Code Execution
This plugin does not properly escape strings, which allows remote administrators to execute arbitrary PHP code. Solution Update the plugin...
WordPress <= 3.0.1 - Multiple XSS
Because of these vulnerabilities, remote servers can inject arbitrary web script or HTML by providing a crafted error message for a FTP or SSH connection attempt. Solution Update WordPress...
WordPress <= 3.3.2 - Multiple Vulnerabilities
Because of these vulnerabilities, the attackers can obtain sensitive information or bypass intended media-attachment restrictions via a "postid" value. Solution Update the plugin...
WordPress Newsletter Manager Plugin <= 1.0.2 - XSS
Because of this vulnerability in admin/testmail.php, the attackers can inject arbitrary web script or HTML via the "id" parameter. Solution Update the plugin...
WordPress FormCraft Plugin - SQL Injection
This WordPress FormCraft plugin is prone to an SQL injection. This vulnerability allows an attacker to modify data, compromise the access and application or exploit hidden vulnerabilities in the underlying database. Solution Upgrade the plugin...
WordPress Social Sharing Toolkit Plugin <= 2.1.1 - XSS
Because of this vulnerability, the attackers can inject arbitrary web script or HTML via unspecified vectors. Solution Update the plugin...
WordPress Simple Dropbox Upload Plugin <=1.8.8.0 - Unrestricted File Upload
Because of this vulnerability in multi.php, the attackers can execute arbitrary code by uploading a file with an executable extension and after that accessing it via a direct request to the file in wp-content/uploads/wpdb/. Solution Update the plugin...
WordPress Related Posts Plugin <= 1.3.1 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of unspecified users for requests that change settings via unknown vectors. Solution Update the plugin...
WordPress Download Monitor Plugin <= 3.3.6.1 - XSS #2
Because of this vulnerability in admin/admin.php, the attackers can inject arbitrary web script or HTML via the "p" parameter. Solution Update the plugin...
WordPress Maintenance Mode Plugin <= 1.8.7 - CSRF
Because of this vulnerability, the attackers can hijack the authentication of arbitrary users for requests that modify this plugin's settings. Solution Update the plugin...
WordPress GRAND FlAGallery Plugin <= 2.71 - XSS
Because of this vulnerability in wp-admin/admin.php, the attackers can inject arbitrary web script or HTML via the "s" parameter in a flag-manage-gallery action. Solution Update the plugin...