Medium
CVE-2016-10891
The aryo-activity-log plugin before 2.3.3 for WordPress has XSS.
Tag: WordPress
All CVEs associated with "WordPress". Page 137/152 • 18152 CVEs.
Subscribe CVEs: RSS for “WordPress” · RSS (High+Critical only)
About “WordPress”
A curated feed of “WordPress”-related CVEs appears below. We currently track 18152 CVEs for this tag (all time). In the last 365 days, 4094 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).
In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2019-08-21
Medium
CVE-2016-10890
The aryo-activity-log plugin before 2.3.2 for WordPress has XSS.
Critical
CVE-2014-10379
The duplicate-post plugin before 2.6 for WordPress has SQL injection.
Medium
CVE-2014-10378
The duplicate-post plugin before 2.6 for WordPress has XSS.
Medium
CVE-2014-10377
The cforms2 plugin before 13.2 for WordPress has XSS in lib_ajax.php.
Medium
CVE-2012-6714
The count-per-day plugin before 3.2.3 for WordPress has XSS via search words.
Medium
CVE-2017-18564
The sender plugin before 1.2.1 for WordPress has multiple XSS issues.
Medium
CVE-2017-18563
The rsvp plugin before 2.3.8 for WordPress has persistent XSS via the note field on the attendee-list screen.
Medium
CVE-2016-10912
The universal-analytics plugin before 1.3.1 for WordPress has XSS.
Medium
CVE-2016-10911
The profile-builder plugin before 2.4.2 for WordPress has multiple XSS issues.
Medium
CVE-2016-10910
The formbuilder plugin before 1.06 for WordPress has multiple XSS issues.
Medium
CVE-2015-9328
The profile-builder plugin before 2.2.5 for WordPress has XSS.
Medium
CVE-2015-9327
The flickr-justified-gallery plugin before 3.4.0 for WordPress has XSS.
Medium
CVE-2014-10380
The profile-builder plugin before 1.1.66 for WordPress has multiple XSS issues in forms.
Medium
CVE-2012-6715
The formbuilder plugin before 0.9.1 for WordPress has XSS via a Referer header.
Medium
CVE-2019-15112
The wp-slimstat plugin before 4.8.1 for WordPress has XSS.
Critical
CVE-2019-15111
The wp-front-end-profile plugin before 0.2.2 for WordPress has a privilege escalation issue.
Medium
CVE-2019-15110
The wp-front-end-profile plugin before 0.2.2 for WordPress has XSS.
Medium
CVE-2017-18565
The updater plugin before 1.35 for WordPress has multiple XSS issues.
Medium
CVE-2017-18560
The content-audit plugin before 1.9.2 for WordPress has XSS.
Medium
CVE-2017-18558
The bws-testimonials plugin before 0.1.9 for WordPress has multiple XSS issues.
Medium
CVE-2017-18557
The bws-google-maps plugin before 1.3.6 for WordPress has multiple XSS issues.
Medium
CVE-2017-18556
The bws-google-analytics plugin before 1.7.1 for WordPress has multiple XSS issues.
Medium
CVE-2017-18555
The booking-sms plugin before 1.1.0 for WordPress has XSS.
Medium
CVE-2017-18554
The analytics-tracker plugin before 1.1.1 for WordPress has XSS via a search event.
Medium
CVE-2017-18553
The ad-buttons plugin before 2.3.2 for WordPress has XSS.
Critical
CVE-2016-10909
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has SQL injection.
Medium
CVE-2016-10908
The booking-calendar-contact-form plugin before 1.0.24 for WordPress has XSS.
High
CVE-2016-10903
The GoDaddy godaddy-email-marketing-sign-up-forms plugin before 1.1.3 for WordPress has CSRF.
High
CVE-2016-10902
The wp-customer-reviews plugin before 3.0.9 for WordPress has CSRF in the admin tools.
Medium
CVE-2016-10901
The wp-customer-reviews plugin before 3.0.9 for WordPress has XSS in the admin tools.
Medium
CVE-2016-10900
The uji-countdown plugin before 2.0.7 for WordPress has XSS.
Medium
CVE-2019-15109
The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL parameter.
Medium
CVE-2017-18540
The weblibrarian plugin before 3.4.8.7 for WordPress has XSS via front-end short codes.
Medium
CVE-2017-18539
The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front-end short codes.
Medium
CVE-2017-18538
The weblibrarian plugin before 3.4.8.5 for WordPress has XSS via front-end short codes.
Medium
CVE-2017-18537
The visitors-online plugin before 1.0.0 for WordPress has multiple XSS issues.
Medium
CVE-2017-18536
The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS.
Medium
CVE-2017-18534
The share-on-diaspora plugin before 0.7.2 for WordPress has reflected XSS in share URL parameters.
Medium
CVE-2016-10899
The total-security plugin before 3.4.1 for WordPress has a settings-change vulnerability.
Medium
CVE-2016-10898
The total-security plugin before 3.4.1 for WordPress has XSS.
Medium
CVE-2016-10897
The sermon-browser plugin before 0.45.16 for WordPress has multiple XSS issues.
Medium
CVE-2016-10896
The seo-redirection plugin before 4.3 for WordPress has stored XSS.
Medium
CVE-2015-9321
The shortcode-factory plugin before 1.1.1 for WordPress has XSS via add_query_arg.
2019-08-20
Medium
CVE-2018-20978
The wp-all-import plugin before 3.4.7 for WordPress has XSS.
Medium
CVE-2017-18566
The user-role plugin before 1.5.6 for WordPress has multiple XSS issues.
Medium
CVE-2017-18533
The rimons-twitter-widget plugin before 1.3 for WordPress has XSS.
Medium
CVE-2017-18532
The realty plugin before 1.1.0 for WordPress has multiple XSS issues.
Medium
CVE-2017-18531
The raygun4wp plugin before 1.8.3 for WordPress has XSS in the settings, a different issue than CVE-2017-9288.
Medium
CVE-2017-18530
The rating-bws plugin before 0.2 for WordPress has multiple XSS issues.
Medium
CVE-2017-18529
The promobar plugin before 1.1.1 for WordPress has multiple XSS issues.
Medium
CVE-2017-18528
The pdf-print plugin before 1.9.4 for WordPress has multiple XSS issues.
Medium
CVE-2017-18527
The pagination plugin before 1.0.7 for WordPress has multiple XSS issues.
Medium
CVE-2017-18526
The moreads-se plugin before 1.4.7 for WordPress has XSS.
Medium
CVE-2017-18524
The football-pool plugin before 2.6.5 for WordPress has multiple XSS issues.
High
CVE-2017-18523
The eelv-newsletter plugin before 4.6.1 for WordPress has CSRF in the address book.
Medium
CVE-2017-18522
The eelv-newsletter plugin before 4.6.1 for WordPress has XSS in the address book.
Medium
CVE-2017-18519
The customer-area plugin before 7.4.3 for WordPress has XSS via admin pages.
Medium
CVE-2017-18518
The bws-smtp plugin before 1.1.0 for WordPress has multiple XSS issues.
Medium
CVE-2016-10895
The option-tree plugin before 2.6.0 for WordPress has XSS via an add_list_item or add_social_links AJAX request.
Medium
CVE-2016-10892
The chained-quiz plugin before 1.0 for WordPress has multiple XSS issues.
Medium
CVE-2015-9320
The option-tree plugin before 2.5.4 for WordPress has XSS related to add_query_arg.
Medium
CVE-2015-9319
The gregs-high-performance-seo plugin before 1.6.2 for WordPress has XSS in the context of an old browser.
High
CVE-2019-15238
The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the IP address field.
High
CVE-2017-18569
The my-wp-translate plugin before 1.0.4 for WordPress has CSRF.
Medium
CVE-2017-18568
The my-wp-translate plugin before 1.0.4 for WordPress has XSS.
Medium
CVE-2017-18567
The wp-all-import plugin before 3.4.6 for WordPress has XSS.
Medium
CVE-2017-18520
The democracy-poll plugin before 5.4 for WordPress has XSS via update_l10n in admin/class.DemAdminInit.php.
Medium
CVE-2017-18517
The bws-pinterest plugin before 1.0.5 for WordPress has multiple XSS issues.
High
CVE-2016-10915
The popup-by-supsystic plugin before 1.7.9 for WordPress has CSRF.
High
CVE-2016-10914
The add-from-server plugin before 3.3.2 for WordPress has CSRF for importing a large file.
Medium
CVE-2016-10913
The wp-latest-posts plugin before 3.7.5 for WordPress has XSS.
Medium
CVE-2016-10893
The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has multiple XSS issues via AJAX requests.
Medium
CVE-2015-9332
The uninstall plugin before 1.2 for WordPress has CSRF to delete all tables via the wp-admin/admin-ajax.php?action=uninstall URI.
High
CVE-2015-9331
The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit.
Critical
CVE-2015-9330
The wp-all-import plugin before 3.2.5 for WordPress has blind SQL injection.
Medium
CVE-2015-9329
The wp-all-import plugin before 3.2.5 for WordPress has reflected XSS.
High
CVE-2015-9318
The awesome-support plugin before 3.1.7 for WordPress has a security issue in which shortcodes are allowed in replies.
Medium
CVE-2015-9317
The awesome-support plugin before 3.1.7 for WordPress has XSS via custom information messages.
High
CVE-2014-10381
The user-domain-whitelist plugin before 1.5 for WordPress has CSRF.
High
CVE-2011-5328
The user-access-manager plugin before 1.2 for WordPress has CSRF.
Medium
CVE-2019-15082
The 360-product-rotation plugin before 1.4.8 for WordPress has reflected XSS.
2019-08-16
Medium
CVE-2019-15116
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
High
CVE-2019-15115
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
High
CVE-2019-15114
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
High
CVE-2019-15113
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
High
CVE-2018-20974
The js-jobs plugin before 1.0.7 for WordPress has CSRF.
Critical
CVE-2018-20973
The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion.
High
CVE-2018-20972
The companion-auto-update plugin before 3.2.1 for WordPress has CSRF.
High
CVE-2018-20971
The church-admin plugin before 1.2550 for WordPress has CSRF affecting the upload of a bible reading plan.
High
CVE-2017-18547
The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.
High
CVE-2017-18546
The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF.
High
CVE-2017-18545
The invite-anyone plugin before 1.3.16 for WordPress has incorrect escaping of untrusted Dashboard and front-end input.
High
CVE-2017-18544
The invite-anyone plugin before 1.3.16 for WordPress has admin-panel CSRF.
Critical
CVE-2017-18543
The invite-anyone plugin before 1.3.16 for WordPress has incorrect access control for email-based invitations.
Medium
CVE-2017-18542
The zendesk-help-center plugin before 1.0.5 for WordPress has multiple XSS issues.
Medium
CVE-2017-18541
The xo-security plugin before 1.5.3 for WordPress has XSS.
Critical
CVE-2015-9324
The easy-digital-downloads plugin before 2.3.3 for WordPress has SQL injection.
Critical
CVE-2015-9323
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
High
CVE-2015-9322
The erident-custom-login-and-dashboard plugin before 3.5 for WordPress has CSRF.
Critical
CVE-2014-10376
The i-recommend-this plugin before 3.7.3 for WordPress has SQL injection.
Critical
CVE-2017-18548
The note-press plugin before 0.1.2 for WordPress has SQL injection.
Critical
CVE-2016-10904
The olimometer plugin before 2.57 for WordPress has SQL injection.
Critical
CVE-2015-9326
The wp-business-intelligence-lite plugin before 1.6.3 for WordPress has SQL injection.
Critical
CVE-2015-9325
The visitors-online plugin before 0.4 for WordPress has SQL injection.
2019-08-15
Medium
CVE-2019-14789
The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin/admin.php?page=c4p-main page parameter.
High
CVE-2019-14788
wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the s…
Medium
CVE-2019-14786
The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users to reset the settings via the wp-admin/admin-post.php reset-cmb parameter.
Medium
CVE-2019-14784
The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress has XSS in CSS edition.
Critical
CVE-2019-13578
A SQL injection vulnerability exists in the Impress GiveWP Give plugin through 2.5.0 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQ…
Medium
CVE-2019-14800
The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress allows guests to obtain the email subscription list in CSV format via the wp-admin/admin-post.php?page=fvplayer&fv-email-export=1…
Medium
CVE-2019-14795
The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress has XSS via the wp-admin/admin-ajax.php?action=update_title_options isAutoSaveValveChecked or isDisableAllPagesValveChecked parame…
Medium
CVE-2019-14790
The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS via the wp-admin/admin-ajax.php?action=grsGalleryAjax&grsAction=shortcode task parameter,
2019-08-14
High
CVE-2019-14216
An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icons) plugin through 3.2.1 for WordPress. wp-admin/admin.php?page=wp-svg-icons-custom-set mishandles Custom Icon uploads. CSRF leads…
High
CVE-2018-20968
The wp-ultimate-exporter plugin before 1.4.2 for WordPress has CSRF.
High
CVE-2018-20967
The wp-ultimate-csv-importer plugin before 5.6.1 for WordPress has CSRF.
High
CVE-2017-18513
The responsive-menu plugin before 3.1.4 for WordPress has no CSRF protection mechanism for the admin interface.
High
CVE-2017-18512
The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF.
High
CVE-2017-18511
The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF.
High
CVE-2017-18510
The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions.