Medium
CVE-2015-9397
The gocodes plugin through 1.3.5 for WordPress has wp-admin/tools.php deletegc XSS.
Tag: WordPress
All CVEs associated with "WordPress". Page 134/152 • 18152 CVEs.
Subscribe CVEs: RSS for “WordPress” · RSS (High+Critical only)
About “WordPress”
A curated feed of “WordPress”-related CVEs appears below. We currently track 18152 CVEs for this tag (all time). In the last 365 days, 4094 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).
In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2019-09-20
Medium
CVE-2015-9396
The auto-thickbox-plus plugin through 1.9 for WordPress has wp-content/plugins/auto-thickbox-plus/download.min.php?file= XSS.
High
CVE-2015-9395
The users-ultra plugin before 1.5.64 for WordPress has SQL Injection via an ajax action.
High
CVE-2015-9394
The users-ultra plugin before 1.5.63 for WordPress has CSRF via action=package_add_new to wp-admin/admin-ajax.php.
Medium
CVE-2015-9393
The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_desc parameter.
Medium
CVE-2015-9392
The users-ultra plugin before 1.5.63 for WordPress has XSS via the p_name parameter.
Medium
CVE-2016-11013
The wp-listings plugin before 2.0.2 for WordPress has includes/views/single-listing.php XSS.
Medium
CVE-2016-11012
The sola-support-tickets plugin before 3.13 for WordPress has incorrect access control for /wp-admin with resultant XSS.
Medium
CVE-2016-11011
The wp-invoice plugin before 4.1.1 for WordPress has wpi_update_user_option privilege escalation.
Medium
CVE-2016-11010
The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_twocheckout payer metadata updates.
Medium
CVE-2016-11009
The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_interkassa payer metadata updates.
Medium
CVE-2016-11008
The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_paypal payer metadata updates.
Medium
CVE-2016-11007
The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_user_id for invoice retrieval.
Medium
CVE-2016-11006
The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control for admin_init settings changes.
Medium
CVE-2016-11005
The instalinker plugin before 1.1.2 for WordPress has includes/instalinker-admin-preview.php?client_id= XSS.
High
CVE-2016-11004
The Elegant Themes Monarch plugin before 1.2.7 for WordPress has privilege escalation.
High
CVE-2016-11003
The Elegant Themes Bloom plugin before 1.1.1 for WordPress has privilege escalation.
High
CVE-2016-11002
The Elegant Themes Extra theme before 1.2.4 for WordPress has privilege escalation.
Medium
CVE-2016-11001
The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field.
Critical
CVE-2016-11000
The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter.
Medium
CVE-2016-10999
The Goodnews theme through 2016-02-28 for WordPress has XSS via the s parameter.
Medium
CVE-2016-10998
The ocim-mp3 plugin through 2016-03-07 for WordPress has wp-content/plugins/ocim-mp3/source/pages.php?id= XSS.
Medium
CVE-2016-10997
The beauty-premium theme 1.0.8 for WordPress has CSRF with resultant arbitrary file upload in includes/sendmail.php.
Medium
CVE-2016-10996
The optinmonster plugin before 1.1.4.6 for WordPress has incorrect access control for shortcodes because of a nonce leak.
Medium
CVE-2015-9391
The yawpp plugin through 1.2.2 for WordPress has XSS via the field1 parameter.
Medium
CVE-2015-9390
The admin-management-xtended plugin before 2.4.0.1 for WordPress has privilege escalation because wp_ajax functions are mishandled.
Medium
CVE-2015-9389
The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via a quiz name.
Medium
CVE-2015-9388
The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/edit.php CSRF with resultant XSS.
Medium
CVE-2015-9387
The mtouch-quiz plugin before 3.1.3 for WordPress has wp-admin/options-general.php CSRF.
Medium
CVE-2015-9386
The mtouch-quiz plugin before 3.1.3 for WordPress has XSS via the quiz parameter during a Quiz Manage operation.
Medium
CVE-2015-9385
The quotes-and-tips plugin before 1.20 for WordPress has XSS.
Medium
CVE-2015-9384
The relevant plugin before 1.0.8 for WordPress has XSS.
2019-09-19
Medium
CVE-2019-16525
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript co…
2019-09-18
Critical
CVE-2016-10995
The Tevolution plugin before 2.3.0 for WordPress has arbitrary file upload via single_upload.php or single-upload.php.
Medium
CVE-2016-10994
The Truemag theme 2016 Q2 for WordPress has XSS via the s parameter.
2019-09-17
Medium
CVE-2016-10993
The ScoreMe theme through 2016-04-01 for WordPress has XSS via the s parameter.
Medium
CVE-2016-10992
The music-store plugin before 1.0.43 for WordPress has XSS via the wp-admin/admin.php?page=music-store-menu-reports from_year parameter.
High
CVE-2016-10991
The imdb-widget plugin before 1.0.9 for WordPress has Local File Inclusion.
Medium
CVE-2016-10990
The wp-cerber plugin before 2.7 for WordPress has XSS via the X-Forwarded-For HTTP header.
High
CVE-2016-10989
The leenkme plugin before 2.6.0 for WordPress has wp-admin/admin.php?page=leenkme_facebook CSRF.
Medium
CVE-2016-10988
The leenkme plugin before 2.6.0 for WordPress has stored XSS via facebook_message, facebook_linkname, facebook_caption, facebook_description, default_image, or _wp_http_referer.
Medium
CVE-2016-10987
The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS.
Medium
CVE-2016-10986
The tweet-wheel plugin before 1.0.3.3 for WordPress has XSS via consumer_key, consumer_secret, access_token, and access_token_secret.
Medium
CVE-2016-10985
The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter.
Medium
CVE-2016-10984
The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter.
Medium
CVE-2016-10983
The ghost plugin before 0.5.6 for WordPress has no access control for wp-admin/tools.php?ghostexport=true downloads of exported data.
High
CVE-2016-10982
The kento-post-view-counter plugin through 2.8 for WordPress has wp-admin/admin.php?page=kentopvc_settings CSRF.
Medium
CVE-2016-10981
The kento-post-view-counter plugin through 2.8 for WordPress has stored XSS via kento_pvc_numbers_lang, kento_pvc_today_text, or kento_pvc_total_text.
Medium
CVE-2016-10980
The kento-post-view-counter plugin through 2.8 for WordPress has XSS via kento_pvc_geo.
Medium
CVE-2016-10979
The fossura-tag-miner plugin before 1.1.5 for WordPress has XSS.
High
CVE-2016-10978
The fossura-tag-miner plugin before 1.1.5 for WordPress has CSRF.
Medium
CVE-2016-10977
The nelio-ab-testing plugin before 4.5.0 for WordPress has filename=..%2f directory traversal.
Medium
CVE-2016-10976
The safe-editor plugin before 1.2 for WordPress has no se_save authentication, with resultant XSS.
Medium
CVE-2016-10975
The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has reflected XSS via the skin parameter.
High
CVE-2016-10974
The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has frs_save CSRF with resultant stored XSS.
2019-09-16
Medium
CVE-2016-10973
The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php.
Critical
CVE-2016-10972
The newspaper theme before 6.7.2 for WordPress has a lack of options access control via td_ajax_update_panel.
Critical
CVE-2016-10971
The MemberSonic Lite plugin before 1.302 for WordPress has incorrect login access control because only knowlewdge of an e-mail address is required.
Medium
CVE-2016-10970
The supportflow plugin before 0.7 for WordPress has XSS via a ticket excerpt.
Medium
CVE-2016-10969
The supportflow plugin before 0.7 for WordPress has XSS via a discussion ticket title.
High
CVE-2016-10968
The peepso-core plugin before 1.6.1 for WordPress has PeepSoProfilePreferencesAjax->save() privilege escalation.
Medium
CVE-2016-10967
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.
High
CVE-2016-10966
The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ directory traversal for file upload.
High
CVE-2016-10965
The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ directory traversal for file deletion.
Medium
CVE-2016-10964
The dwnldr plugin before 1.01 for WordPress has XSS via the User-Agent HTTP header.
Medium
CVE-2016-10963
The icegram plugin before 1.9.19 for WordPress has XSS.
Medium
CVE-2016-10962
The icegram plugin before 1.9.19 for WordPress has CSRF via the wp-admin/edit.php option_name parameter.
Medium
CVE-2016-10961
The colorway theme before 3.4.2 for WordPress has XSS via the contactName parameter.
High
CVE-2016-10960
The wsecure plugin before 2.4 for WordPress has remote code execution via shell metacharacters in the wsecure-config.php publish parameter.
Medium
CVE-2016-10959
The estatik plugin before 2.3.1 for WordPress has authenticated arbitrary file upload (exploitable with CSRF) via es_media_images[] to wp-admin/admin-ajax.php.
High
CVE-2016-10958
The estatik plugin before 2.3.0 for WordPress has unauthenticated arbitrary file upload via es_media_images[] to wp-admin/admin-ajax.php.
Medium
CVE-2016-10957
The Akal theme through 2016-08-22 for WordPress has XSS via the framework/brad-shortcodes/tinymce/preview.php sc parameter.
Critical
CVE-2017-18634
The newspaper theme before 6.7.2 for WordPress has script injection via td_ads[header] to admin-ajax.php.
High
CVE-2016-10956
The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.
2019-09-15
Medium
CVE-2019-16332
In the api-bearer-auth plugin before 20190907 for WordPress, the server parameter is not correctly filtered in the swagger-config.yaml.php file, and it is possible to inject JavaScript code, aka XSS.
2019-09-13
Medium
CVE-2019-16289
The insert-php (aka Woody ad snippets) plugin before 2.2.8 for WordPress allows authenticated XSS via the winp_item parameter.
Medium
CVE-2019-12517
An XSS issue was discovered in the slickquiz plugin through 1.3.7.1 for WordPress. The save_quiz_score functionality available via the /wp-admin/admin-ajax.php endpoint allows unauthenticated users t…
High
CVE-2019-12516
The slickquiz plugin through 1.3.7.1 for WordPress allows SQL Injection by Subscriber users, as demonstrated by a /wp-admin/admin.php?page=slickquiz-scores&id= or /wp-admin/admin.php?page=slickquiz-e…
Critical
CVE-2016-10955
The cysteme-finder plugin before 1.4 for WordPress has unrestricted file upload because of incorrect session tracking.
Critical
CVE-2016-10954
The Neosense theme before 1.8 for WordPress has qquploader unrestricted file upload.
Medium
CVE-2016-10953
The Headway theme before 3.8.9 for WordPress has XSS via the license key field.
Medium
CVE-2016-10952
The quotes-collection plugin before 2.0.6 for WordPress has XSS via the wp-admin/admin.php?page=quotes-collection page parameter.
High
CVE-2016-10951
The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter.
High
CVE-2016-10950
The sirv plugin before 1.3.2 for WordPress has SQL injection via the id parameter.
High
CVE-2016-10949
The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL injection with resultant unsafe unserialization.
High
CVE-2016-10948
The Post Indexer plugin before 3.0.6.2 for WordPress has incorrect handling of data passed to the unserialize function.
High
CVE-2016-10947
The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin.
High
CVE-2016-10946
The wp-d3 plugin before 2.4.1 for WordPress has CSRF.
Medium
CVE-2017-18615
The kama-clic-counter plugin before 3.5.0 for WordPress has XSS.
High
CVE-2017-18614
The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via the admin.php order parameter.
Medium
CVE-2017-18613
The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin.php?page=trust-form-edit page parameter.
Medium
CVE-2017-18612
The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/func-whois.php domain parameter.
High
CVE-2016-10945
The PageLines theme 1.1.4 for WordPress has wp-admin/admin-post.php?page=pagelines CSRF.
High
CVE-2016-10944
The multisite-post-duplicator plugin before 1.1.3 for WordPress has wp-admin/tools.php?page=mpd CSRF.
High
CVE-2016-10943
The zx-csv-upload plugin 1 for WordPress has SQL injection via the id parameter.
Critical
CVE-2016-10942
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has SQL injection via the insert_id parameter exploitable via CSRF.
Medium
CVE-2016-10941
The podlove-podcasting-plugin-for-wordpress plugin before 2.3.16 for WordPress has XSS exploitable via CSRF.
High
CVE-2016-10940
The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter.
High
CVE-2016-10939
The xtremelocator plugin 1.5 for WordPress has SQL injection via the id parameter.
Medium
CVE-2016-10938
The copy-me plugin 1.0.0 for WordPress has CSRF for copying non-public posts to a public location.
2019-09-12
High
CVE-2019-5992
Cross-site request forgery (CSRF) vulnerability in WordPress Ultra Simple Paypal Shopping Cart v4.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified…
2019-09-11
High
CVE-2019-16250
includes/wizard/wizard.php in the Ocean Extra plugin through 1.5.8 for WordPress allows unauthenticated options changes and injection of a Cascading Style Sheets (CSS) token sequence.
Medium
CVE-2019-14936
Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive Information Disclosure (Username and Password Hash).
Medium
CVE-2019-16223
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
Medium
CVE-2019-16222
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
Medium
CVE-2019-16221
WordPress before 5.2.3 allows reflected XSS in the dashboard.
Medium
CVE-2019-16220
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forwar…
Medium
CVE-2019-16219
WordPress before 5.2.3 allows XSS in shortcode previews.
Medium
CVE-2019-16218
WordPress before 5.2.3 allows XSS in stored comments.
Medium
CVE-2019-16217
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
2019-09-10
Critical
CVE-2019-15896
An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. The upload_import function in the class.llms.admin.import.php script is prone to an unauthenticated options import vulner…
Medium
CVE-2017-18611
The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-field-css parameter.
Medium
CVE-2017-18610
The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCCWP_CreateCustomFieldPage.php custom-group-id parameter.
Medium
CVE-2017-18609
The magic-fields plugin before 1.7.2 for WordPress has XSS via the custom-write-panel-id parameter.
Medium
CVE-2017-18608
The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS issues.
High
CVE-2017-18607
The avada theme before 5.1.5 for WordPress has CSRF.
Medium
CVE-2017-18606
The avada theme before 5.1.5 for WordPress has stored XSS.
Critical
CVE-2017-18605
The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Object Injection.
High
CVE-2017-18604
The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request.
Medium
CVE-2017-18603
The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postman_email_log page parameter.