CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2018-20980 The ninja-forms plugin before 3.2.15 for WordPress has parameter tampering. | N/A | NONE | — | 0 |
| CVE-2018-20981 The ninja-forms plugin before 3.3.9 for WordPress has insufficient restrictions on submission-data retrieval during Export Personal Data requests. | N/A | NONE | — | 0 |
| CVE-2018-20982 The media-library-assistant plugin before 2.74 for WordPress has XSS via the Media/Assistant or Settings/Media Library assistant admin submenu screens. | N/A | NONE | — | 0 |
| CVE-2019-14511 Sphinx Technologies Sphinx 3.1.1 by default has no authentication and listens on 0.0.0.0, making it exposed to the internet (unless filtered by a firewall or reconfigured to listen to 127.0.0.1 only). | N/A | NONE | — | 0 |
| CVE-2019-15314 tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI. | N/A | NONE | — | 0 |
| CVE-2019-15317 The give plugin before 2.4.7 for WordPress has XSS via a donor name. | N/A | NONE | — | 0 |
| CVE-2019-15318 The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field. | N/A | NONE | — | 0 |
| CVE-2008-7321 The tubepress plugin before 1.6.5 for WordPress has XSS. | N/A | NONE | — | 0 |
| CVE-2013-7482 The reflex-gallery plugin before 1.4.3 for WordPress has XSS. | N/A | NONE | — | 0 |
| CVE-2014-10383 The memphis-documents-library plugin before 3.0 for WordPress has Remote File Inclusion. | N/A | NONE | — | 0 |
| CVE-2014-10384 The memphis-documents-library plugin before 3.0 for WordPress has Local File Inclusion. | N/A | NONE | — | 0 |
| CVE-2014-10385 The memphis-documents-library plugin before 3.0 for WordPress has XSS via $_REQUEST. | N/A | NONE | — | 0 |
| CVE-2025-32571 Deserialization of Untrusted Data vulnerability in TuriTop TuriTop Booking System turitop-booking-system allows Object Injection.This issue affects TuriTop Booking System: from n/a through <= 1.0.10. | N/A | NONE | — | 0 |
| CVE-2015-9337 The profile-builder plugin before 2.1.4 for WordPress has no access control for activating or deactivating addons via AJAX. | N/A | NONE | — | 0 |
| CVE-2016-10922 The woocommerce-store-toolkit plugin before 1.5.7 for WordPress has privilege escalation. | N/A | NONE | — | 0 |
| CVE-2016-10923 The woocommerce-store-toolkit plugin before 1.5.8 for WordPress has privilege escalation. | N/A | NONE | — | 0 |
| CVE-2016-10924 The ebook-download plugin before 1.2 for WordPress has directory traversal. | N/A | NONE | — | 0 |
| CVE-2016-10925 The peters-login-redirect plugin before 2.9.1 for WordPress has XSS during the editing of redirect URLs. | N/A | NONE | — | 0 |
| CVE-2016-10926 The nelio-ab-testing plugin before 4.5.9 for WordPress has SSRF in ajax/iesupport.php. | N/A | NONE | — | 0 |
| CVE-2016-10927 The nelio-ab-testing plugin before 4.5.11 for WordPress has SSRF in ajax/iesupport.php. | N/A | NONE | — | 0 |
| CVE-2017-18576 The event-notifier plugin before 1.2.1 for WordPress has XSS via the loading animation. | N/A | NONE | — | 0 |
| CVE-2017-18580 The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode. | N/A | NONE | — | 0 |
| CVE-2017-18581 The time-sheets plugin before 1.5.0 for WordPress has XSS via the old timesheet list. | N/A | NONE | — | 0 |
| CVE-2017-18582 The time-sheets plugin before 1.5.2 for WordPress has multiple XSS issues. | N/A | NONE | — | 0 |
| CVE-2017-18583 The post-pay-counter plugin before 2.731 for WordPress has PHP Object Injection. | N/A | NONE | — | 0 |
| CVE-2017-18584 The post-pay-counter plugin before 2.731 for WordPress has no permissions check for an update-settinga action. | N/A | NONE | — | 0 |
| CVE-2018-20983 The wp-retina-2x plugin before 5.2.3 for WordPress has XSS. | N/A | NONE | — | 0 |
| CVE-2018-20984 The patreon-connect plugin before 1.2.2 for WordPress has Object Injection. | N/A | NONE | — | 0 |
| CVE-2018-20985 The wp-payeezy-pay plugin before 2.98 for WordPress has local file inclusion in pay.php, donate.php, donate-rec, and pay-rec. | N/A | NONE | — | 0 |
| CVE-2019-15319 The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce. | N/A | NONE | — | 0 |
| CVE-2019-15320 The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled. | N/A | NONE | — | 0 |
| CVE-2019-15321 The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled. | N/A | NONE | — | 0 |
| CVE-2019-15322 The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion. | N/A | NONE | — | 0 |
| CVE-2019-15323 The ad-inserter plugin before 2.4.20 for WordPress has path traversal. | 7.5 | HIGH | — | 0 |
| CVE-2019-15324 The ad-inserter plugin before 2.4.22 for WordPress has remote code execution. | N/A | NONE | — | 0 |
| CVE-2019-5632 An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. The application's database was found to contain informatio... | 5.5 | MEDIUM | — | 0 |
| CVE-2019-5633 An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application's database was found to contain information th... | 5.5 | MEDIUM | — | 0 |
| CVE-2019-5634 An inclusion of sensitive information in log files vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. Communications to the internet API services and dire... | N/A | NONE | — | 0 |
| CVE-2019-5635 A cleartext transmission of sensitive information vulnerability is present in Hickory Smart Ethernet Bridge from Belwith Products, LLC. Captured data reveals that the Hickory Smart Ethernet Bridge dev... | 7.5 | HIGH | — | 0 |
| CVE-2018-18572 osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Because of this filter, script files with certain PHP-related extensions (such as .phtml and .php5) didn... | N/A | NONE | — | 0 |
| CVE-2018-18573 osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequen... | N/A | NONE | — | 0 |
| CVE-2019-11013 Nimble Streamer 3.0.2-2 through 3.5.4-9 has a ../ directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are... | N/A | NONE | — | 0 |
| CVE-2019-11029 Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Download() method of AutoUpdateService in SMServer.exe, leading to Directory Traversal. An attacker could use ..\ with this method to ite... | N/A | NONE | — | 0 |
| CVE-2019-11030 Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys.Common.Utils.Security.DataCrypt method in Common.dll in AuditTrailService in SMServer.exe. This method triggers insecure deserial... | N/A | NONE | — | 0 |
| CVE-2019-11031 Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-update feature of IDVRUpdateService2 in DVRServer.exe. An attacker can upload files with a Setup-Files action, and then execute thes... | N/A | NONE | — | 0 |
| CVE-2019-14751 NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during ex... | N/A | NONE | — | 0 |
| CVE-2014-10390 The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has directory traversal. | N/A | NONE | — | 0 |
| CVE-2019-9153 Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature. | N/A | NONE | — | 0 |
| CVE-2019-9154 Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed. | N/A | NONE | — | 0 |
| CVE-2019-9155 A cryptographic issue in OpenPGP.js <=4.2.0 allows an attacker who is able provide forged messages and gain feedback about whether decryption of these messages succeeded to conduct an invalid curve at... | N/A | NONE | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.