Page 158 of 1624 results (0.081 seconds)

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

19 Jul 2019 — A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. ... Se presenta una vulnerabilidad de inyección SQL en el plugin Email Subscribers & Newsletters hasta versión 4.1.7 de Icegram para WordPress. • https://wordpress.org/plugins/email-subscribers/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

11 Jul 2019 — A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. ... Existe una vulnerabilidad de inyección SQL en el plugin FolioVision FV Flowplayer Video Player en versiones anteriores a la 7.3.19.727 para WordPress. • https://plugins.trac.wordpress.org/changeset/2121566/fv-wordpress-flowplayer/trunk/models/db.php • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1

02 May 2019 — The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. • https://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-user-submitted-posts-plugin • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2

17 Mar 2019 — The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. • https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin • CWE-862: Missing Authorization •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

14 Mar 2019 — The SiteGround Optimizer plugin for WordPress is vulnerable to authorization bypass leading to Remote Code Execution and Local File Inclusion in versions up to, and including, 5.0.12 due to incorrect use of an access control attribute on the switch_php function called via the /switch-php REST API route. • https://www.wordfence.com/threat-intel/vulnerabilities/id/657f3bd7-2cdc-4eb6-ba50-7c7fca468df0?source=cve • CWE-862: Missing Authorization •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

07 Jan 2019 — The Audio Record plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_record_callback function in versions up to, and including, 1.0. • https://patchstack.com/database/vulnerability/audio-record/wordpress-audio-record-plugin-1-0-arbitrary-file-upload-vulnerability-2? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

17 Sep 2018 — The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. • https://www.wordfence.com/threat-intel/vulnerabilities/id/a56d5a2f-ae13-4523-bc4a-17bb2fb4c6f0?source=cve • CWE-862: Missing Authorization •

CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 1

20 Jun 2018 — In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account. En el servidor web de los dispositivos D-Link DIR-620 con una determinada variante personalizada (por proveedor de Internet) del firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0 y 2.0.22, hay una contraseña embebida "anonymous" para la cuenta de administrador. • https://securityaffairs.co/wordpress/72839/hacking/d-link-dir-620-flaws.html • CWE-798: Use of Hard-coded Credentials •

CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 2

25 Jan 2017 — Es recomendado actualizar el componente afectado The InfiniteWP Client plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.0 via deserialization of untrusted input. • http://seclists.org/fulldisclosure/2017/Jan/72 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

29 Dec 2016 — The nelio-ab-testing plugin before 4.5.11 for WordPress has SSRF in ajax/iesupport.php. El plugin nelio-ab-testing anterior de la versión 4.5.11 para WordPress tiene SSRF en ajax / iesupport.php. • https://wordpress.org/plugins/nelio-ab-testing/#developers • CWE-918: Server-Side Request Forgery (SSRF) •