LiveActive security incident?Get immediate response
CVE archive

July 2015

Browse CVE records published in July 2015, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 716 matching CVEs · Page 1 of 15.

Medium · CVSS 6.9

CVE-2015-10142: Sitecore XP < 8.0 and CMS < 7.2 and < 7.5 File Read via Known Path

Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.

Published Jul 25, 2025 · Updated May 15, 2026

Critical · CVSS 9.3

CVE-2015-10141: Xdebug Remote Debugger Unauthenticated OS Command Execution

An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user.

Published Jul 23, 2025 · Updated May 15, 2026

High · CVSS 7.2

CVE-2015-10133: Subscribe to Comments <= 2.1.2 - Local File Includion

The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code.

Published Jul 19, 2025 · Updated Apr 8, 2026

Critical · CVSS 9.8

CVE-2015-10138: Work The Flow File Upload <= 2.5.2 - Arbitrary File Upload

The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Published Jul 19, 2025 · Updated Apr 8, 2026

Critical · CVSS 9.8

CVE-2015-10143: Platform < 1.4.4 - Missing Authorization to Unauthenticated Arbitrary Options Update

The Platform theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the *_ajax_save_options() function in all versions up to 1.4.4 (exclusive). This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Published Jul 25, 2025 · Updated Apr 8, 2026

Critical · CVSS 9.8

CVE-2015-10137: Website Contact Form With File Upload <= 1.3.4 - Arbitrary File Upload

The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Published Jul 22, 2025 · Updated Apr 8, 2026

High · CVSS 8.8

CVE-2015-10144: Responsive Thumbnail Slider < 1.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

The Responsive Thumbnail Slider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type sanitization in the via the image uploader in versions up to 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected sites server using a double extension which may make remote code execution possible.

Published Jul 25, 2025 · Updated Apr 8, 2026

Critical · CVSS 9.8

CVE-2015-10135: WPshop 2 – E-Commerce < 1.3.9.6 - Arbitrary File Upload

The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Published Jul 19, 2025 · Updated Apr 8, 2026

High · CVSS 7.5

CVE-2015-10136: GI-Media Library < 3.0 - Directory Traversal

The GI-Media Library plugin for WordPress is vulnerable to Directory Traversal in versions before 3.0 via the 'fileid' parameter. This allows unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Published Jul 19, 2025 · Updated Apr 8, 2026

High · CVSS 7.5

CVE-2015-10134: Simple Backup <= 2.7.10 - Arbitrary File Download via Path Traversal

The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.

Published Jul 19, 2025 · Updated Apr 8, 2026

High · CVSS 7.8 · CISA KEV

CVE-2015-5122: Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe...

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.

Published Jul 14, 2015 · Updated Nov 17, 2025

High · CVSS 7.8 · CISA KEV

CVE-2015-5119: Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Fla...

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

Published Jul 8, 2015 · Updated Nov 17, 2025

High · CVSS 7.8 · CISA KEV

CVE-2015-5123: Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Fl...

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

Published Jul 14, 2015 · Updated Nov 17, 2025

High · CVSS 8.8 · CISA KEV

CVE-2015-2424: Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 SP1, Word...

Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 SP1, Word 2013 SP1, and PowerPoint 2013 RT SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Microsoft Office Memory Corruption Vulnerability."

Published Jul 14, 2015 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2015-2387: ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Wi...

ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "ATMFD.DLL Memory Corruption Vulnerability."

Published Jul 14, 2015 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2015-2426: Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Win...

Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Driver Vulnerability."

Published Jul 20, 2015 · Updated Oct 21, 2025

Medium · CVSS 4.3

CVE-2015-10003: FileZilla Server PORT confused deputy

A vulnerability, which was classified as problematic, was found in FileZilla Server up to 0.9.50. This affects an unknown part of the component PORT Handler. The manipulation leads to unintended intermediary. It is possible to initiate the attack remotely. Upgrading to version 0.9.51 is able to address this issue. It is recommended to upgrade the affected component.

Published Jul 17, 2022 · Updated Apr 15, 2025

Medium · CVSS 4

CVE-2015-10121: Beeliked Microsite Plugin beelikedmicrosite.php embed_handler cross site scripting

A vulnerability has been found in Beeliked Microsite Plugin up to 1.0.1 on WordPress and classified as problematic. Affected by this vulnerability is the function embed_handler of the file beelikedmicrosite.php. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.0.2 is able to address this issue. The identifier of the patch is d23bafb5d05fb2636a2b78331f9d3fca152903dc. It is recommended to upgrade the affected component. The identifier VDB-233365 was assigned to this vulnerability.

Published Jul 10, 2023 · Updated Nov 21, 2024

Unknown · CVSS Not scored

CVE-2015-5374: A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All version...

A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1.04.01; Firmware variant Modbus TCP for EN100 Ethernet module : All versions < V1.11.00; Firmware variant DNP3 TCP for EN100 Ethernet module : All versions < V1.03; Firmware variant IEC 104 for EN100 Ethernet module : All versions < V1.21; EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80 : All versions < 1.02.02. Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device.

Published Jul 18, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2015-5529: Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attac...

Multiple cross-site scripting (XSS) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to dashboard/settings/categories/, (2) title or (3) rel parameter to dashboard/settings/links/, or (4) url parameter to dashboard/tools/pingservers/.

Published Jul 16, 2015 · Updated Sep 17, 2024

Medium · CVSS 4

CVE-2015-10120: WDS Multisite Aggregate Plugin WDS_Multisite_Aggregate_Options.php update_options cross site scripting

A vulnerability, which was classified as problematic, was found in WDS Multisite Aggregate Plugin up to 1.0.0 on WordPress. Affected is the function update_options of the file includes/WDS_Multisite_Aggregate_Options.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.0.1 is able to address this issue. The name of the patch is 49e0bbcb6ff70e561365d9e0d26426598f63ca12. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-233364.

Published Jul 10, 2023 · Updated Aug 6, 2024

Medium · CVSS 6.5

CVE-2015-10122: wp-donate Plugin donate-display.php sql injection

A vulnerability was found in wp-donate Plugin up to 1.4 on WordPress. It has been classified as critical. This affects an unknown part of the file includes/donate-display.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. Upgrading to version 1.5 is able to address this issue. The identifier of the patch is 019114cb788d954c5d1b36d6c62418619e93a757. It is recommended to upgrade the affected component. The identifier VDB-234249 was assigned to this vulnerability.

Published Jul 18, 2023 · Updated Aug 6, 2024

Medium · CVSS 4

CVE-2015-10119: View All Posts Page Plugin view-all-posts-pages.php action_admin_notices_activation cross site scripting

A vulnerability, which was classified as problematic, has been found in View All Posts Page Plugin up to 0.9.0 on WordPress. This issue affects the function action_admin_notices_activation of the file view-all-posts-pages.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.9.1 is able to address this issue. The patch is named bf914f3a59063fa4df8fd4925ae18a5d852396d7. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-233363.

Published Jul 10, 2023 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2015-9260: An issue was discovered in BEdita before 3.7.0.

An issue was discovered in BEdita before 3.7.0. A cross-site scripting (XSS) attack occurs via a crafted pages/showObjects URI, as demonstrated by appending a payload to a pages/showObjects/2/0/0/leafs URI.

Published Jul 5, 2018 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2015-8890: platform/msm_shared/partition_parser.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 a...

platform/msm_shared/partition_parser.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 and 7 (2013) devices does not validate certain GUID Partition Table (GPT) data, which allows attackers to bypass intended access restrictions via a crafted MultiMediaCard (MMC), aka Android internal bug 28822878 and Qualcomm internal bug CR823461.

Published Jul 11, 2016 · Updated Aug 6, 2024