The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the atkp_import_product() function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to to perform unauthorized actions such as creating importing products.
Max CVSS
4.3
EPSS Score
0.04%
Published
2024-03-08
Updated
2024-03-08
The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. This is due to missing or incorrect nonce validation on the 'posting_bulk' function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Max CVSS
4.3
EPSS Score
0.05%
Published
2024-03-13
Updated
2024-03-13
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.
Max CVSS
4.3
EPSS Score
0.25%
Published
2023-10-13
Updated
2024-02-16
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
Max CVSS
4.3
EPSS Score
0.41%
Published
2020-11-02
Updated
2022-06-29
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.
Max CVSS
4.3
EPSS Score
0.09%
Published
2017-01-18
Updated
2017-03-16
WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.
Max CVSS
4.7
EPSS Score
0.08%
Published
2017-10-12
Updated
2017-10-26
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
Max CVSS
4.8
EPSS Score
0.36%
Published
2017-01-05
Updated
2017-11-04
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string.
Max CVSS
4.3
EPSS Score
1.33%
Published
2015-11-09
Updated
2017-11-04
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title.
Max CVSS
4.3
EPSS Score
0.71%
Published
2015-11-09
Updated
2017-09-21
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title.
Max CVSS
4.3
EPSS Score
1.33%
Published
2015-11-09
Updated
2017-11-04
The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.17%
Published
2016-05-22
Updated
2017-11-04
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.
Max CVSS
4.0
EPSS Score
0.13%
Published
2015-08-03
Updated
2017-09-21
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.
Max CVSS
4.3
EPSS Score
94.66%
Published
2015-08-03
Updated
2016-12-06
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.
Max CVSS
4.3
EPSS Score
0.56%
Published
2015-08-05
Updated
2016-12-06
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.
Max CVSS
4.3
EPSS Score
2.76%
Published
2015-08-05
Updated
2016-12-06
wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message.
Max CVSS
4.3
EPSS Score
0.69%
Published
2014-11-25
Updated
2016-06-30
Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post.
Max CVSS
4.3
EPSS Score
0.58%
Published
2014-11-25
Updated
2016-04-04
Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.58%
Published
2014-11-25
Updated
2016-04-04
Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.71%
Published
2014-11-25
Updated
2015-10-05
Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post.
Max CVSS
4.3
EPSS Score
13.11%
Published
2014-11-25
Updated
2015-10-05
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php.
Max CVSS
4.0
EPSS Score
0.13%
Published
2014-04-10
Updated
2017-12-16
The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file.
Max CVSS
4.3
EPSS Score
0.24%
Published
2013-09-12
Updated
2013-09-27
The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.
Max CVSS
4.3
EPSS Score
0.24%
Published
2013-07-08
Updated
2016-12-31
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.
Max CVSS
4.3
EPSS Score
0.58%
Published
2013-07-08
Updated
2013-08-13
WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message.
Max CVSS
4.3
EPSS Score
0.33%
Published
2013-07-08
Updated
2013-09-10
77 vulnerabilities found
1 2 3 4
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!