LiveActive security incident?Get immediate response
CVE archive

March 2015

Browse CVE records published in March 2015, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 574 matching CVEs · Page 1 of 12.

High · CVSS 7.2

CVE-2015-20115: RealtyScript 4.0.2 Stored Cross-Site Scripting via File Upload Parameter

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize file uploads, allowing attackers to store malicious scripts through the file POST parameter in admin/tools.php. Attackers can upload files containing JavaScript code that executes in the context of admin/tools.php when accessed by other users.

Published Mar 15, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2015-20114: RealtyScript 4.0.2 Cross-Site Scripting via Multiple Parameters

Next Click Ventures RealtyScript 4.0.2 contains a cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious input through multiple parameters that are not properly sanitized. Attackers can craft requests with injected script payloads in vulnerable parameters to execute code in users' browser sessions within the context of the affected application.

Published Mar 15, 2026 · Updated May 24, 2026

Medium · CVSS 6.1

CVE-2015-20116: RealtyScript 4.0.2 Stored Cross-Site Scripting via CSV File Upload Filename

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users' browsers when the file is processed or displayed.

Published Mar 15, 2026 · Updated Mar 16, 2026

Medium · CVSS 6.9

CVE-2015-20117: RealtyScript 4.0.2 Cross-Site Request Forgery Unauthorized User Creation

Next Click Ventures RealtyScript 4.0.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create unauthorized user accounts and administrative users by crafting malicious forms. Attackers can submit hidden form data to /admin/addusers.php and /admin/editadmins.php endpoints to register new users with arbitrary credentials and escalate privileges to SUPERUSER level.

Published Mar 15, 2026 · Updated Mar 16, 2026

High · CVSS 7.2

CVE-2015-20118: RealtyScript 4.0.2 Stored Cross-Site Scripting via location_name Parameter

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability in the location_name parameter of the admin locations interface. Attackers can submit POST requests to the locations.php endpoint with JavaScript payloads in the location_name field to execute arbitrary code in administrator browsers.

Published Mar 15, 2026 · Updated Mar 16, 2026

Medium · CVSS 6.4

CVE-2015-20119: RealtyScript 4.0.2 Stored Cross-Site Scripting via text Parameter in pages.php

Next Click Ventures RealtyScript 4.0.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter in the pages.php admin interface. Attackers can submit POST requests to the add page action with crafted iframe payloads in the text parameter to store malicious content that executes in the browsers of users viewing the affected pages.

Published Mar 15, 2026 · Updated Mar 16, 2026

High · CVSS 8.8

CVE-2015-20121: RealtyScript 4.0.2 SQL Injection via u_id and agent Parameters

Next Click Ventures RealtyScript 4.0.2 contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting arbitrary SQL code through the GET parameter 'u_id' in /admin/users.php and the POST parameter 'agent[]' in /admin/mailer.php. Attackers can exploit time-based blind SQL injection techniques to extract sensitive database information or cause denial of service through sleep-based payloads.

Published Mar 15, 2026 · Updated Mar 16, 2026

Medium · CVSS 6.9

CVE-2015-20113: RealtyScript 4.0.2 Multiple Cross-Site Request Forgery and Persistent Cross-Site Scripting Vulnerabilities

Next Click Ventures RealtyScript 4.0.2 contains cross-site request forgery and persistent cross-site scripting vulnerabilities that allow attackers to perform administrative actions and inject malicious scripts. Attackers can craft malicious web pages that execute unauthorized actions when logged-in users visit them, or inject persistent scripts that execute in the application context.

Published Mar 15, 2026 · Updated Mar 16, 2026

High · CVSS 8.8

CVE-2015-20120: RealtyScript 4.0.2 Multiple Time-based Blind SQL Injection

Next Click Ventures RealtyScript 4.0.2 contains multiple time-based blind SQL injection vulnerabilities that allow unauthenticated attackers to extract database information by injecting SQL code into application parameters. Attackers can craft requests with time-delay payloads to infer database contents character by character based on response timing differences.

Published Mar 15, 2026 · Updated Mar 16, 2026

Medium · CVSS 4

CVE-2015-10095: woo-popup Plugin class-woo-popup-admin.php cross site scripting

A vulnerability classified as problematic has been found in woo-popup Plugin up to 1.2.2 on WordPress. This affects an unknown part of the file admin/class-woo-popup-admin.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.3.0 is able to address this issue. The patch is named 7c76ac78f3e16015991b612ff4fa616af4ce9292. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222327.

Published Mar 6, 2023 · Updated Mar 5, 2025

Medium · CVSS 4

CVE-2015-10090: Landing Pages Plugin cross site scripting

A vulnerability, which was classified as problematic, has been found in Landing Pages Plugin up to 1.8.7 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.8.8 is able to address this issue. The name of the patch is c8e22c1340c11fedfb0a0a67ea690421bdb62b94. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222320.

Published Mar 5, 2023 · Updated Nov 25, 2024

Medium · CVSS 6.5

CVE-2015-10097: grinnellplans-php read.php interface_disp_page sql injection

A vulnerability was found in grinnellplans-php up to 3.0. It has been declared as critical. Affected by this vulnerability is the function interface_disp_page/interface_disp_page of the file read.php. The manipulation leads to sql injection. The attack can be launched remotely. The identifier of the patch is 57e4409e19203a94495140ff1b5a697734d17cfb. It is recommended to apply a patch to fix this issue. The identifier VDB-223801 was assigned to this vulnerability.

Published Mar 25, 2023 · Updated Oct 15, 2024

Unknown · CVSS Not scored

CVE-2015-2792: The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which al...

The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter.

Published Mar 30, 2015 · Updated Sep 17, 2024

Medium · CVSS 6.3

CVE-2015-0796: open build service source server symlink exploitation via source patch

In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow buildservice users to break of confinement or cause denial of service attacks on the source service.

Published Mar 2, 2018 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2015-5350: In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable...

In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. By staging an application on Cloud Foundry using Diego and Garden installations with a malicious custom buildpack an end user could read files on the host system that the BOSH-created vcap user has permissions to read and then package them into their app droplet.

Published Mar 19, 2018 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2015-2199: Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress all...

Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or remote administrators to execute arbitrary SQL commands via the itemid parameter in the (2) wonderplugin_audio_show_item, (3) wonderplugin_audio_show_items, or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php.

Published Mar 3, 2015 · Updated Sep 16, 2024

Medium · CVSS 5.3

CVE-2015-10130: The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery...

The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the circle_thumbnail_slider_with_lightbox_image_management_func() function. This makes it possible for unauthenticated attackers to edit image data which can be used to inject malicious JavaScript, along with deleting images, and uploading malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published Mar 13, 2024 · Updated Aug 11, 2024

Medium · CVSS 5

CVE-2015-10096: Zarthus IRC Twitter Announcer Bot twitter_announcer.rb get_tweets command injection

A vulnerability, which was classified as critical, was found in Zarthus IRC Twitter Announcer Bot up to 1.1.0. This affects the function get_tweets of the file lib/twitterbot/plugins/twitter_announcer.rb. The manipulation of the argument tweet leads to command injection. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. Upgrading to version 1.1.1 is able to address this issue. The patch is named 6b1941b7fc2c70e1f40981b43c84a2c20cc12bd3. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-223383.

Published Mar 20, 2023 · Updated Aug 6, 2024

Medium · CVSS 5

CVE-2015-10088: ayttm proxy.c http_connect format string

A vulnerability, which was classified as critical, was found in ayttm up to 0.5.0.89. This affects the function http_connect in the library libproxy/proxy.c. The manipulation leads to format string. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 40e04680018614a7d2b68566b261b061a0597046. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222267.

Published Mar 5, 2023 · Updated Aug 6, 2024

Medium · CVSS 4

CVE-2015-10089: flame.js cross site scripting

A vulnerability classified as problematic has been found in flame.js. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named e6c49b5f6179e31a534b7c3264e1d36aa99728ac. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222291.

Published Mar 5, 2023 · Updated Aug 6, 2024

Medium · CVSS 6.5

CVE-2015-10087: UpThemes Theme DesignFolio Plus unrestricted upload

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in UpThemes Theme DesignFolio Plus 1.2 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 53f6ae62878076f99718e5feb589928e83c879a9. It is recommended to apply a patch to fix this issue. The identifier VDB-221809 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Published Mar 7, 2023 · Updated Aug 6, 2024

Low · CVSS 2.6

CVE-2015-10093: Mark User as Spammer Plugin plugin.php user_row_actions cross site scripting

A vulnerability was found in Mark User as Spammer Plugin 1.0.0/1.0.1 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function user_row_actions of the file plugin/plugin.php. The manipulation of the argument url leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 1.0.2 is able to address this issue. The identifier of the patch is e7059727274d2767c240c55c02c163eaa4ba6c62. It is recommended to upgrade the affected component. The identifier VDB-222325 was assigned to this vulnerability.

Published Mar 6, 2023 · Updated Aug 6, 2024

Medium · CVSS 4

CVE-2015-10092: Qtranslate Slug Plugin class-qtranslate-slug.php add_slug_meta_box cross site scripting

A vulnerability was found in Qtranslate Slug Plugin up to 1.1.16 on WordPress. It has been classified as problematic. Affected is the function add_slug_meta_box of the file includes/class-qtranslate-slug.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.1.17 is able to address this issue. The name of the patch is 74b3932696f9868e14563e51b7d0bb68c53bf5e4. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222324.

Published Mar 6, 2023 · Updated Aug 6, 2024

Medium · CVSS 4

CVE-2015-10131: chrisy TFO Graphviz Plugin tfo-graphviz-admin.php admin_page cross site scripting

A vulnerability was found in chrisy TFO Graphviz Plugin up to 1.9 on WordPress and classified as problematic. Affected by this issue is the function admin_page_load/admin_page of the file tfo-graphviz-admin.php. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.10 is able to address this issue. The name of the patch is 594c953a345f79e26003772093b0caafc14b92c2. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-258620.

Published Mar 31, 2024 · Updated Aug 6, 2024

Low · CVSS 3.3

CVE-2015-10094: Fastly Plugin api.php post cross site scripting

A vulnerability was found in Fastly Plugin up to 0.97 on WordPress. It has been rated as problematic. Affected by this issue is the function post of the file lib/api.php. The manipulation of the argument url leads to cross site scripting. The attack may be launched remotely. Upgrading to version 0.98 is able to address this issue. The patch is identified as d7fe42538f4d4af500e3af9678b6b06fba731656. It is recommended to upgrade the affected component. VDB-222326 is the identifier assigned to this vulnerability.

Published Mar 6, 2023 · Updated Aug 6, 2024

Medium · CVSS 5.8

CVE-2015-10091: ByWater Solutions bywater-koha-xslt systempreferences.pl StringSearch sql injection

A vulnerability has been found in ByWater Solutions bywater-koha-xslt and classified as critical. This vulnerability affects the function StringSearch of the file admin/systempreferences.pl. The manipulation of the argument name leads to sql injection. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as 9513b93c828dfbc4413f9e0df63647401aaf4e58. It is recommended to apply a patch to fix this issue. VDB-222322 is the identifier assigned to this vulnerability.

Published Mar 6, 2023 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2015-9258: In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature Algorithm Not Matched to Key vulnerabil...

In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature Algorithm Not Matched to Key vulnerability. Because an attacker controls the field specifying the signature algorithm, they might (for example) be able to forge a signature by forcing a misinterpretation of an RSA-PSS key as Ed25519 elliptic-curve data.

Published Mar 31, 2018 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2015-8986: Sandbox detection evasion vulnerability in hardware appliances in McAfee (now Intel Security) Advanced Thre...

Sandbox detection evasion vulnerability in hardware appliances in McAfee (now Intel Security) Advanced Threat Defense (MATD) 3.4.2.32 and earlier allows attackers to detect the sandbox environment, then bypass proper malware detection resulting in failure to detect a malware file (false-negative) via specially crafted malware.

Published Mar 14, 2017 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2015-8994: An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm w...

An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode ("opcode" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script's filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user's script usually means gaining privileges to the CMS database.

Published Mar 2, 2017 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2015-8983: Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or li...

Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to computing a size in bytes, which triggers a heap-based buffer overflow.

Published Mar 20, 2017 · Updated Aug 6, 2024