Weekly Updates: a new vulnerability is published on the National Vulnerability Database (25 items)

New vulnerabilities from the NVD: CVE-2015-9409 The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resultant XSS in pages/alo-easymail-admin-options.php. Published at: September 25, 2019 at 08:15PM View on website September 25, 2019 at 10:17PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9431 The qtranslate-x plugin before 3.4.4 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=qtranslate-x json_config_files or json_custom_i18n_config parameter. Published at: September 26, 2019 at 05:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9430 The crazy-bone plugin before 0.6.0 for WordPress has XSS via the User-Agent HTTP header. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9429 The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9428 The wplegalpages plugin before 1.1 for WordPress has CSRF with resultant XSS via wp-admin/admin.php?page=legal-pages lp-domain-name, lp-business-name, lp-phone, lp-street, lp-city-state, lp-country, lp-email, lp-address, or lp-niche parameters. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9427 The googmonify plugin through 0.5.1 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=googmonify.php PID or AID parameter. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9426 The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=mic_editor_window postId parameter. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9425 The social-locker plugin before 4.2.5 for WordPress has CSRF with resultant XSS via the wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next licensekey parameter. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9424 The multicons plugin before 3.0 for WordPress has CSRF with resultant XSS via the wp-admin/options-general.php?page=multicons%2Fmulticons.php global_url or admin_url parameter. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9423 The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load PlugneditBGColor, PlugneditEditorMargin, plugnedit_width, pnemedcount, or plugneditcontent parameters. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9422 The PlugNedit Adaptive Editor plugin before 6.2.0 for WordPress has CSRF with resultant XSS via wp-admin/admin-ajax.php?action=simple_fields_field_type_post_dialog_load plugnedit_width, pnemedcount, PlugneditBGColor, PlugneditEditorMargin, or plugneditcontent parameters. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9421 The olevmedia-shortcodes plugin before 1.1.9 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=omsc_popup id parameter. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9420 The soundcloud-is-gold plugin before 2.3.2 for WordPress has XSS via the wp-admin/admin-ajax.php?action=get_soundcloud_player id parameter. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9419 The captain-slider plugin 1.0.6 for WordPress has XSS via a Title or Caption section. Published at: September 26, 2019 at 04:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9418 The Watu Pro plugin before 4.9.0.8 for WordPress has CSRF that allows an attacker to delete quizzes. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9417 The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9416 The sitepress-multilingual-cms (WPML) plugin 2.9.3 to 3.2.6 for WordPress has XSS via the Accept-Language HTTP header. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9415 The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9414 The wp-symposium plugin through 15.8.1 for WordPress has XSS via the wp-content/plugins/wp-symposium/get_album_item.php?size parameter. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9413 The eshop plugin through 6.3.13 for WordPress has CSRF with resultant XSS via the wp-admin/admin.php?page=eshop-downloads.php title parameter. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9412 The Royal-Slider plugin before 3.2.7 for WordPress has XSS via the rstype parameter. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9411 The Postmatic plugin before 1.4.6 for WordPress has XSS. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9410 The Blubrry PowerPress Podcasting plugin 6.0.4 for WordPress has XSS via the tab parameter. Published at: September 26, 2019 at 03:15AM View on website September 26, 2019 at 10:17AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-9417 (testimonial_slider) The testimonial-slider plugin through 1.2.1 for WordPress has CSRF with resultant XSS. Published at: September 26, 2019 at 03:15AM View on website September 27, 2019 at 03:07AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-10396 (epic) The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php. Published at: September 20, 2019 at 11:15PM View on website September 27, 2019 at 07:07PM via National Vulnerability Database