| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The simple-share-buttons-adder plugin before 6.0.0 for WordPress has XSS. |
| The simple-fields plugin before 1.4.11 for WordPress has XSS. |
| The liveforms plugin before 3.2.0 for WordPress has SQL injection. |
| The events-manager plugin before 5.5.7 for WordPress has multiple XSS issues. |
| The events-manager plugin before 5.5.7.1 for WordPress has DOM XSS. |
| The events-manager plugin before 5.6 for WordPress has code injection. |
| The events-manager plugin before 5.6 for WordPress has XSS. |
| The download-monitor plugin before 1.7.1 for WordPress has XSS related to add_query_arg. |
| The contact-form-plugin plugin before 3.96 for WordPress has XSS. |
| The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances. |
| The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature. |
| The wp-slimstat (aka Slimstat Analytics) plugin before 4.1.6.1 for WordPress has XSS via an HTTP Referer header, or via a field associated with JavaScript-based Referer tracking. |
| The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code. |
| The VideoWhisper videowhisper-video-conference-integration plugin 4.91.8 for WordPress allows remote attackers to execute arbitrary code because vc/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code, a different vulnerability than CVE-2014-1905. |
| XSS exists in the the-holiday-calendar plugin before 1.11.3 for WordPress via the thc-month parameter. |
| The export/content.php exportarticle feature in the wordpress-mobile-pack plugin before 2.1.3 2015-06-03 for WordPress allows remote attackers to obtain sensitive information because the content of a privately published post is sent in JSON format. |
| Cross-site scripting (XSS) vulnerability in the Plotly plugin before 1.0.3 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via a post. |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add users, (2) delete posts, or (3) modify PHP files via unspecified vectors, or (4) conduct cross-site scripting (XSS) attacks via the po_logo parameter in the privateonly.php page to wp-admin/options-general.php. |
| Vulnerability in Easy2map-photos WordPress Plugin v1.09 MapPinImageUpload.php and MapPinIconSave.php allows path traversal when specifying file names creating files outside of the upload directory. |
| Vulnerability in Easy2map-photos WordPress Plugin v1.09 allows SQL Injection via unsanitized mapTemplateName, mapName, mapSettingsXML, parentCSSXML, photoCSSXML, mapCSSXML, mapHTML,mapID variables |
