LiveActive security incident?Get immediate response
CVE archive

October 2015

Browse CVE records published in October 2015, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 929 matching CVEs · Page 1 of 19.

Medium · CVSS 4.9

CVE-2015-10147: Easy Testimonial Slider and Form <= 1.0.2 - Authenticated (Admin+) SQL injection

The Easy Testimonial Slider and Form plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published Oct 29, 2025 · Updated Apr 8, 2026

Medium · CVSS 4.9

CVE-2015-10146: Thumbnail Slider With Lightbox <= 1.0.4 - Authenticated (Admin+) SQL Injection

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published Oct 29, 2025 · Updated Apr 8, 2026

Medium · CVSS 6.5

CVE-2015-10126: Easy2Map Photos Plugin sql injection

A vulnerability classified as critical was found in Easy2Map Photos Plugin 1.0.1 on WordPress. This vulnerability affects unknown code. The manipulation leads to sql injection. The attack can be initiated remotely. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as 503d9ee2482d27c065f78d9546f076a406189908. It is recommended to upgrade the affected component. VDB-241318 is the identifier assigned to this vulnerability.

Published Oct 6, 2023 · Updated Jun 16, 2025

Unknown · CVSS Not scored

CVE-2015-20110: JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comp...

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Published Oct 31, 2023 · Updated Sep 6, 2024

Medium · CVSS 5

CVE-2015-10125: WP Ultimate CSV Importer Plugin cross-site request forgery

A vulnerability classified as problematic has been found in WP Ultimate CSV Importer Plugin 3.7.2 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 13c30af721d3f989caac72dd0f56cf0dc40fad7e. It is recommended to upgrade the affected component. The identifier VDB-241317 was assigned to this vulnerability.

Published Oct 5, 2023 · Updated Aug 6, 2024

Medium · CVSS 6.5

CVE-2015-10124: Most Popular Posts Widget Plugin functions.php show_views sql injection

A vulnerability was found in Most Popular Posts Widget Plugin up to 0.8 on WordPress. It has been classified as critical. Affected is the function add_views/show_views of the file functions.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 0.9 is able to address this issue. The patch is identified as a99667d11ac8d320006909387b100e9a8b5c12e1. It is recommended to upgrade the affected component. VDB-241026 is the identifier assigned to this vulnerability.

Published Oct 2, 2023 · Updated Aug 6, 2024