VYPR

WordPress

by WordPress

Source repositories

CVEs (377)

  • CVE-2022-3590Dec 14, 2022
    risk 0.07cvss epss 0.03

    WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

  • CVE-2013-7240Jan 3, 2014
    risk 0.05cvss epss 0.20

    Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.

  • CVE-2007-1277Mar 5, 2007
    risk 0.05cvss epss 0.27

    WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to…

  • CVE-2009-2334Jul 10, 2009
    risk 0.04cvss epss 0.06

    wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify…

  • CVE-2008-4769Oct 28, 2008
    risk 0.04cvss epss 0.09

    Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details…

  • CVE-2007-6318Dec 12, 2007
    risk 0.04cvss epss 0.09

    SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a "\" in a…

  • CVE-2007-5710Oct 30, 2007
    risk 0.04cvss epss 0.07

    Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter.

  • CVE-2007-3140Jun 8, 2007
    risk 0.04cvss epss 0.07

    SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897.

  • CVE-2007-0233Jan 13, 2007
    risk 0.04cvss epss 0.11

    wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id…

  • CVE-2005-2108Jul 5, 2005
    risk 0.04cvss epss 0.09

    SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file.

  • CVE-2004-1584Dec 31, 2004
    risk 0.04cvss epss 0.11

    CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the text parameter.

  • CVE-2004-1559Dec 31, 2004
    risk 0.04cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) redirect_to, text, popupurl, or popuptitle parameters to wp-login.php, (2) redirect_url parameter to admin-header.php, (3) popuptitle,…

  • CVE-2022-21661Jan 6, 2022
    risk 0.03cvss epss 0.98

    WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been…

  • CVE-2021-29447Apr 15, 2021
    risk 0.03cvss epss 0.86

    Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful…

  • CVE-2019-8942Feb 20, 2019
    risk 0.03cvss epss 0.83

    WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by…

  • CVE-2014-9034Nov 25, 2014
    risk 0.03cvss epss 0.83

    wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to…

  • CVE-2013-7233Dec 30, 2013
    risk 0.03cvss epss 0.04

    Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list.

  • CVE-2009-2335Jul 10, 2009
    risk 0.03cvss epss 0.85

    WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue,…

  • CVE-2009-1030Mar 20, 2009
    risk 0.03cvss epss 0.05

    Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.

  • CVE-2008-1304Mar 12, 2008
    risk 0.03cvss epss 0.05

    Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php.

Page 6 of 19