WordPress
by WordPress
Source repositories
CVEs (377)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2011-3130 | 0.00 | — | 0.02 | Aug 10, 2011 | wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection. | |||
| CVE-2011-3129 | 0.00 | — | 0.02 | Aug 10, 2011 | The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames. | |||
| CVE-2011-3128 | 0.00 | — | 0.02 | Aug 10, 2011 | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php. | |||
| CVE-2011-3127 | 0.00 | — | 0.02 | Aug 10, 2011 | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. | |||
| CVE-2011-3126 | 0.00 | — | 0.02 | Aug 10, 2011 | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects. | |||
| CVE-2011-3125 | 0.00 | — | 0.02 | Aug 10, 2011 | Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening." | |||
| CVE-2011-3122 | 0.00 | — | 0.03 | Aug 10, 2011 | Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security." | |||
| CVE-2011-0701 | 0.00 | — | 0.03 | Mar 14, 2011 | wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. | |||
| CVE-2011-0700 | 0.00 | — | 0.03 | Mar 14, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4)… | |||
| CVE-2010-4536 | 0.00 | — | 0.03 | Jan 3, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4)… | |||
| CVE-2010-4257 | 0.00 | — | 0.03 | Dec 7, 2010 | SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. | |||
| CVE-2010-0682 | 0.00 | — | 0.10 | Feb 23, 2010 | WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter. | |||
| CVE-2009-3891 | 0.00 | — | 0.02 | Nov 17, 2009 | Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable). | |||
| CVE-2009-3890 | 0.00 | — | 0.08 | Nov 17, 2009 | Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code… | |||
| CVE-2009-3622 | 0.00 | — | 0.06 | Oct 23, 2009 | Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8"… | |||
| CVE-2009-2854 | 0.00 | — | 0.02 | Aug 18, 2009 | Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5)… | |||
| CVE-2009-2853 | 0.00 | — | 0.05 | Aug 18, 2009 | Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and… | |||
| CVE-2009-2851 | 0.00 | — | 0.08 | Aug 18, 2009 | Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL. | |||
| CVE-2009-2762 | 0.00 | — | 0.20 | Aug 13, 2009 | wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. | |||
| CVE-2009-2432 | 0.00 | — | 0.03 | Jul 10, 2009 | WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. |
- CVE-2011-3130Aug 10, 2011risk 0.00cvss —epss 0.02
wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection.
- CVE-2011-3129Aug 10, 2011risk 0.00cvss —epss 0.02
The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames.
- CVE-2011-3128Aug 10, 2011risk 0.00cvss —epss 0.02
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php.
- CVE-2011-3127Aug 10, 2011risk 0.00cvss —epss 0.02
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.
- CVE-2011-3126Aug 10, 2011risk 0.00cvss —epss 0.02
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects.
- CVE-2011-3125Aug 10, 2011risk 0.00cvss —epss 0.02
Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening."
- CVE-2011-3122Aug 10, 2011risk 0.00cvss —epss 0.03
Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security."
- CVE-2011-0701Mar 14, 2011risk 0.00cvss —epss 0.03
wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter.
- CVE-2011-0700Mar 14, 2011risk 0.00cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4)…
- CVE-2010-4536Jan 3, 2011risk 0.00cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4)…
- CVE-2010-4257Dec 7, 2010risk 0.00cvss —epss 0.03
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field.
- CVE-2010-0682Feb 23, 2010risk 0.00cvss —epss 0.10
WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter.
- CVE-2009-3891Nov 17, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable).
- CVE-2009-3890Nov 17, 2009risk 0.00cvss —epss 0.08
Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code…
- CVE-2009-3622Oct 23, 2009risk 0.00cvss —epss 0.06
Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8"…
- CVE-2009-2854Aug 18, 2009risk 0.00cvss —epss 0.02
Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5)…
- CVE-2009-2853Aug 18, 2009risk 0.00cvss —epss 0.05
Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and…
- CVE-2009-2851Aug 18, 2009risk 0.00cvss —epss 0.08
Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.
- CVE-2009-2762Aug 13, 2009risk 0.00cvss —epss 0.20
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
- CVE-2009-2432Jul 10, 2009risk 0.00cvss —epss 0.03
WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message.
Page 15 of 19