Security Vulnerabilities - CVEs Published In October 2019
The s3bubble-amazon-s3-audio-streaming plugin 2.0 for WordPress has directory traversal via the adverts/assets/plugins/ultimate/content/downloader.php path parameter.
CVSS Score
7.5
EPSS Score
0.065
Published
2019-10-10
The yet-another-stars-rating plugin before 0.9.1 for WordPress has yasr_get_multi_set_values_and_field SQL injection via the set_id parameter.
CVSS Score
8.8
EPSS Score
0.009
Published
2019-10-10
The wti-like-post plugin before 1.4.3 for WordPress has WtiLikePostProcessVote SQL injection via the HTTP_CLIENT_IP, HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED, HTTP_FORWARDED_FOR, or HTTP_FORWARDED variable.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-10-10
The broken-link-manager plugin before 0.5.0 for WordPress has wpslDelURL or wpslEditURL SQL injection via the url parameter.
CVSS Score
9.8
EPSS Score
0.007
Published
2019-10-10
The broken-link-manager plugin 0.4.5 for WordPress has XSS via the page parameter in a delURL action.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-10-10
The content-grabber plugin 1.0 for WordPress has XSS via obj_field_name or obj_field_id.
CVSS Score
4.8
EPSS Score
0.002
Published
2019-10-10
The history-collection plugin through 1.1.1 for WordPress has directory traversal via the download.php var parameter.
CVSS Score
7.5
EPSS Score
0.06
Published
2019-10-10
The dzs-zoomsounds plugin through 2.0 for WordPress has admin/upload.php arbitrary file upload.
CVSS Score
9.8
EPSS Score
0.05
Published
2019-10-10
The incoming-links plugin before 0.9.10b for WordPress has referrers.php XSS via the Referer HTTP header.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-10-10
The estrutura-basica theme through 2015-09-13 for WordPress has directory traversal via the scripts/download.php arquivo parameter.
CVSS Score
7.5
EPSS Score
0.045
Published
2019-10-10