14603 matches found
Mobile App Native <= 3.0 - Remote File Upload
The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content. It also doesn't sanitize the file upload against executable code. PoC $ curl -F "file=@/var/www/shell.php"...
rockhoist-badges 1.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
The rockhoist-badges WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS security vulnerability...
Time Sheets < 1.5.2 - Multiple XSS
The Time Sheets WordPress plugin was affected by a Multiple XSS security vulnerability...
Nelio AB Testing <= 4.5.8 - Server Side Request Forgery (SSRF)
The Nelio AB Testing WordPress plugin was affected by a Server Side Request Forgery SSRF security vulnerability...
Simplified Content <= 1.0.0 - XSS
The Simplified Content WordPress plugin was affected by a XSS security vulnerability...
Estatik < 2.3.1 - Arbitrary File Upload
The Estatik Real Estate Plugin WordPress plugin was affected by an Arbitrary File Upload security vulnerability...
Adblock Blocker 0.0.1 - Arbitrary File Upload
The addblockblocker WordPress plugin was affected by an Arbitrary File Upload security vulnerability...
WordPress 4.5.2 - Password Change via Stolen Cookie
...
Jetpack <= 4.0.3 - Multiple Vulnerabilities
Jetpack 4.0.4 fixes 3 security bugs: Private feedback form entries were made available publicly via the REST API Post By Email settings could be changed The Likes module was vulnerable to XSS...
Fluid Responsive Slideshow < 2.2.7 - CSRF & XSS
The Fluid Responsive Slideshow WordPress plugin was affected by a CSRF & XSS security vulnerability...
Gnucommerce < 0.5.7-beta - XSS
The GNUCommerce WordPress plugin was affected by a XSS security vulnerability...
Tevolution <= 2.2.7 - Unrestricted File Upload
Files 'single-upload.php' and 'singleupload.php' affected...
Pondol Form to Mail <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The pondol-formmail WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability...
WPSOLR <= 8.6 - Unauthenticated Reflected Cross-Site Scripting (XSS)
The WPSOLR - Elasticsearch and Solr search WordPress plugin was affected by an Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC...
GoCodes <= 1.3.5 - Authenticated XSS & Blind SQL Injection
The gocodes WordPress plugin was affected by an Authenticated XSS & Blind SQL Injection security vulnerability...
NextGen Gallery < 2.1.15 - Path Traversal
The WordPress Gallery Plugin – NextGEN Gallery WordPress plugin was affected by a Path Traversal security vulnerability...
MDC Private Message <= 1.0.0 - Authenticated Stored Cross-Site Scripting (XSS)
The mdc-private-message WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS security vulnerability...
Tag Miner <= 1.1.2 - Cross-Site Request Forgery (CSRF) & XSS
The Tag Miner Automatic Tag Extraction WordPress plugin was affected by a Cross-Site Request Forgery CSRF & XSS security vulnerability...
WP Ultimate Csv Importer < 3.8.1 - XSS
The Import and Export WordPress Data as CSV or XML WordPress plugin was affected by a XSS security vulnerability...
WordPress <= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)
...
qTranslate <= 2.5.39 - Cross-Site Scripting (XSS)
The qtranslate WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Paid Memberships Pro 1.8.4.2 - Cross-Site Scripting (XSS)
The Paid Memberships Pro WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
Awesome Filterable Portfolio <= 1.8.6 - Authenticated Blind SQL Injection
The Awesome Filterable Portfolio WordPress plugin was affected by an Authenticated Blind SQL Injection security vulnerability...
Codestyling Localization <= 1.99.30 - Multiple CSRF
Plugin is still affected and has been closed...
CP Polls < 1.0.5 - XSS
The Polls CP WordPress plugin was affected by a XSS security vulnerability...
Showbiz Pro <= 1.7.1 - Shell Upload
The showbizpro WordPress plugin was affected by a Shell Upload security vulnerability...
Ad Inserter 1.5.2 - CSRF & XSS
The Ad Inserter – Ad Manager & AdSense Ads WordPress plugin was affected by a CSRF & XSS security vulnerability...
All In One WP Security And Firewall < 3.9.5 - XSS
The All In One WP Security & Firewall WordPress plugin was affected by a XSS security vulnerability...
Jetpack 3.0-3.4.2 - Cross-Site Scripting (XSS)
The Jetpack – WP Security, Backup, Speed, & Growth WordPress plugin was affected by a Cross-Site Scripting XSS security vulnerability...
VideoWhisper Video Conference Integration 4.91.8 - Remote File Upload
Vendor marked as won't fix. See references...
Gravity Forms 1.8 <= 1.9.3.5 - Authenticated Blind SQL Injection
Title: Gravity Forms 1.8 = 1.9.3.5 - Blind SQL Injection CVE-2015-2260 Version/s Tested: 1.9.3.1 Description: Gravity Forms is one of the most popular WordPress plugins gravityforms used to create forms for WordPress sites. The latest version at the time of writing 1.9.3.5 contains an authenticat...
Holding Pattern Theme <= 0.6 - Arbitrary File Upload
An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation. Disclosure timeline: 2015-01-14 Vendor Alerted via email. 2015-01-14 Fix Requested via email. 2015-01-14...
Image Metadata Cruncher - Multiple Cross-Site Scripting (XSS)
The image-metadata-cruncher WordPress plugin was affected by a Multiple Cross-Site Scripting XSS security vulnerability...
Feed Them Social < 1.7.0 - XSS & Arbitrary Shortcode Execution
The Feed Them Social – for Twitter feed, Youtube, Pinterest and more WordPress plugin was affected by a XSS & Arbitrary Shortcode Execution security vulnerability...
W3 Total Cache <= 0.9.4 - Cross-Site Request Forgery (CSRF)
The plugin does not validate the 'wpnonce' anti-CSRF token. This issue can be used to perform many actions. The most significant action with the biggest impact is the ability to redirect users to malicious websites. Functionality exists where specific user agent strings can be configured to be...
DukaPress <= 2.5.3 - Unauthenticated Path Traversal
The DukaPress WordPress plugin was affected by an Unauthenticated Path Traversal security vulnerability...
CP Polls < 1.0.1 - XSS
The Polls CP WordPress plugin was affected by a XSS security vulnerability...
XCloner - Backup and Restore < 3.1.2 - Multiple Vulnerabilities (RCE & LFI)
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin was affected by a Backup and Restore 3.1.2 - Multiple Vulnerabilities RCE & LFI security vulnerability...
Enfold < 3.0.1 - Unspecified Issue
The enfold WordPress theme was affected by an Unspecified Issue security vulnerability...
Quartz Plugin 1.01.1 - SQL Injection
The quartz WordPress plugin was affected by a SQL Injection security vulnerability...
All In One WP Security plugin 3.8.2 - 2xSQL Injections
The All In One WP Security & Firewall WordPress plugin was affected by a 2xSQL Injections security vulnerability...
I Recommend This < 3.7.3 - SQL Injection
The I Recommend This WordPress plugin was affected by a SQL Injection security vulnerability...
Wordfence 5.2.4 - IPTraf.php URI Request Stored XSS
The Wordfence Security – Firewall & Malware Scan WordPress plugin was affected by an IPTraf.php URI Request Stored XSS security vulnerability...
Improved User Search in Backend < 1.2.6 - CSRF & XSS
The Improved user search in backend WordPress plugin was affected by a CSRF & XSS security vulnerability...
Disqus <= 2.75 - Cross-Site Scripting (XSS) & CSRF
The Disqus Comment System WordPress plugin was affected by a Cross-Site Scripting XSS & CSRF security vulnerability...
DejaVu 2.4 - dl-skin.php _mysite_download_skin Parameter Absolute Path Traversal Remote File Download
The dejavu WordPress theme was affected by a dl-skin.php mysitedownloadskin Parameter Absolute Path Traversal Remote File Download security vulnerability...
Bulteno - Remote File Upload
The bulteno-theme WordPress theme was affected by a Remote File Upload security vulnerability...
AskApache Firefox Adsense 3.0 - Unspecified CSRF
The askapache-firefox-adsense WordPress plugin was affected by an Unspecified CSRF security vulnerability...
Social Sharing Toolkit 2.1.1 - Setting Manipulation CSRF
The Social Sharing Toolkit WordPress plugin was affected by a Setting Manipulation CSRF security vulnerability...
platinum_seo_pack.php - s Parameter Reflected XSS
The Platinum SEO WordPress plugin was affected by a s Parameter Reflected XSS security vulnerability...