WordPress
by WordPress
Source repositories
CVEs (377)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2006-3389 | 0.00 | — | 0.03 | Jul 6, 2006 | index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged parameter, which displays the information in an SQL error message. NOTE: this issue has been disputed by a third party who states that the… | |||
| CVE-2006-3390 | 0.00 | — | 0.03 | Jul 6, 2006 | WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables. | |||
| CVE-2006-2702 | 0.00 | — | 0.03 | May 31, 2006 | vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP header, which vars.php uses to redefine $_SERVER['REMOTE_ADDR']. | |||
| CVE-2006-2667 | 0.00 | — | 0.15 | May 30, 2006 | Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1)… | |||
| CVE-2006-1796 | 0.00 | — | 0.02 | Apr 17, 2006 | Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI… | |||
| CVE-2006-1263 | 0.00 | — | 0.02 | Mar 19, 2006 | Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. | |||
| CVE-2006-1012 | 0.00 | — | 0.03 | Mar 6, 2006 | SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment. | |||
| CVE-2006-0986 | 0.00 | — | 0.03 | Mar 3, 2006 | WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7)… | |||
| CVE-2006-0985 | 0.00 | — | 0.03 | Mar 3, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters. | |||
| CVE-2005-4463 | 0.00 | — | 0.03 | Dec 21, 2005 | WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6)… | |||
| CVE-2005-2612 | 0.00 | — | 0.39 | Aug 17, 2005 | Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie. | |||
| CVE-2005-2107 | 0.00 | — | 0.03 | Jul 5, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter. | |||
| CVE-2005-2110 | 0.00 | — | 0.03 | Jul 5, 2005 | WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector… | |||
| CVE-2005-2109 | 0.00 | — | 0.03 | Jul 5, 2005 | wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use. | |||
| CVE-2005-1810 | 0.00 | — | 0.03 | Jun 1, 2005 | SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php. | |||
| CVE-2005-1687 | 0.00 | — | 0.02 | May 20, 2005 | SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. | |||
| CVE-2005-1102 | 0.00 | — | 0.03 | May 2, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post. |
- CVE-2006-3389Jul 6, 2006risk 0.00cvss —epss 0.03
index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged parameter, which displays the information in an SQL error message. NOTE: this issue has been disputed by a third party who states that the…
- CVE-2006-3390Jul 6, 2006risk 0.00cvss —epss 0.03
WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables.
- CVE-2006-2702May 31, 2006risk 0.00cvss —epss 0.03
vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP header, which vars.php uses to redefine $_SERVER['REMOTE_ADDR'].
- CVE-2006-2667May 30, 2006risk 0.00cvss —epss 0.15
Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1)…
- CVE-2006-1796Apr 17, 2006risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI…
- CVE-2006-1263Mar 19, 2006risk 0.00cvss —epss 0.02
Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.
- CVE-2006-1012Mar 6, 2006risk 0.00cvss —epss 0.03
SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment.
- CVE-2006-0986Mar 3, 2006risk 0.00cvss —epss 0.03
WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7)…
- CVE-2006-0985Mar 3, 2006risk 0.00cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters.
- CVE-2005-4463Dec 21, 2005risk 0.00cvss —epss 0.03
WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6)…
- CVE-2005-2612Aug 17, 2005risk 0.00cvss —epss 0.39
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.
- CVE-2005-2107Jul 5, 2005risk 0.00cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter.
- CVE-2005-2110Jul 5, 2005risk 0.00cvss —epss 0.03
WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector…
- CVE-2005-2109Jul 5, 2005risk 0.00cvss —epss 0.03
wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use.
- CVE-2005-1810Jun 1, 2005risk 0.00cvss —epss 0.03
SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php.
- CVE-2005-1687May 20, 2005risk 0.00cvss —epss 0.02
SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter.
- CVE-2005-1102May 2, 2005risk 0.00cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post.
Page 19 of 19