Vendor CVEs
WordPress
All CVEs
32,709 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-2316 | 0.00 | — | 0.02 | Mar 9, 2014 | SQL injection vulnerability in se_search_default in the Search Everything plugin before 7.0.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the s parameter to index.php. NOTE: some of these details are obtained from third party information. | |||
| CVE-2014-2315 | 0.00 | — | 0.02 | Mar 9, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the Thank You Counter Button plugin 1.8.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) thanks_caption, (2) thanks_caption_style, or (3) thanks_style parameter to… | |||
| CVE-2013-3478 | 0.00 | — | 0.02 | Mar 5, 2014 | SQL injection vulnerability in Apptha WordPress Video Gallery 2.0, 1.6, and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the playid parameter to index.php. | |||
| CVE-2014-2040 | 0.00 | — | 0.02 | Mar 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the (1) callback_multicheck, (2) callback_radio, and (3) callback_wysiwygin functions in mfrh_class.settings-api.php in the Media File Renamer plugin 1.7.0 for WordPress allow remote authenticated users with permissions to… | |||
| CVE-2013-3487 | 0.00 | — | 0.02 | Mar 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php. | |||
| CVE-2014-1888 | 0.00 | — | 0.03 | Mar 1, 2014 | Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by… | |||
| CVE-2012-6635 | 0.00 | — | 0.02 | Jan 21, 2014 | wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft. | |||
| CVE-2012-6634 | 0.00 | — | 0.03 | Jan 21, 2014 | wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value. | |||
| CVE-2012-6633 | 0.00 | — | 0.02 | Jan 21, 2014 | Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field. | |||
| CVE-2011-5270 | 0.00 | — | 0.02 | Jan 21, 2014 | wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role. | |||
| CVE-2010-5297 | 0.00 | — | 0.02 | Jan 21, 2014 | WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add… | |||
| CVE-2010-5296 | 0.00 | — | 0.02 | Jan 21, 2014 | wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action. | |||
| CVE-2010-5295 | 0.00 | — | 0.02 | Jan 21, 2014 | Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action. | |||
| CVE-2010-5294 | 0.00 | — | 0.01 | Jan 21, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH… | |||
| CVE-2010-5293 | 0.00 | — | 0.03 | Jan 21, 2014 | wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. | |||
| CVE-2012-6630 | 0.00 | — | 0.02 | Jan 16, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the Media Library Categories plugin 1.1.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) bulk parameter to media-library-categories/add.php or (2) q parameter to… | |||
| CVE-2012-6629 | 0.00 | — | 0.01 | Jan 16, 2014 | Multiple cross-site request forgery (CSRF) vulnerabilities in the Newsletter Manager plugin 1.0.2 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change an email address or (2) conduct script insertion… | |||
| CVE-2012-6628 | 0.00 | — | 0.02 | Jan 16, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the Newsletter Manager plugin before 1.0.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) xyz_em_campName to admin/create_campaign.php or (2) admin/edit_campaign.php, (3) xyz_em_email… | |||
| CVE-2012-6627 | 0.00 | — | 0.02 | Jan 16, 2014 | Cross-site scripting (XSS) vulnerability in admin/test_mail.php in the Newsletter Manager plugin 1.0.2 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||
| CVE-2012-6625 | 0.00 | — | 0.05 | Jan 16, 2014 | SQL injection vulnerability in fs-admin/fs-admin.php in the ForumPress WP Forum Server plugin before 1.7.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the groupid parameter in an editgroup action. | |||
| CVE-2012-6623 | 0.00 | — | 0.02 | Jan 16, 2014 | Cross-site scripting (XSS) vulnerability in fs-admin/wpf-add-forum.php in the ForumPress WP Forum Server plugin before 1.7.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the groupid parameter in an addforum action to wp-admin/admin.php. | |||
| CVE-2012-6622 | 0.00 | — | 0.05 | Jan 16, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in fs-admin/fs-admin.php in the ForumPress WP Forum Server plugin before 1.7.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) groupid parameter in an editgroup action or (2) usergroup_id… | |||
| CVE-2014-1232 | 0.00 | — | 0.02 | Jan 8, 2014 | Cross-site scripting (XSS) vulnerability in the Foliopress WYSIWYG plugin before 2.6.8.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2013-7279 | 0.00 | — | 0.02 | Jan 8, 2014 | Cross-site scripting (XSS) vulnerability in views/video-management/preview_video.php in the S3 Video plugin before 0.983 for WordPress allows remote attackers to inject arbitrary web script or HTML via the base parameter. | |||
| CVE-2013-7276 | 0.00 | — | 0.02 | Jan 8, 2014 | Cross-site scripting (XSS) vulnerability in inc/raf_form.php in the Recommend to a friend plugin 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the current_url parameter. | |||
| CVE-2013-6993 | 0.00 | — | 0.02 | Jan 3, 2014 | Cross-site scripting (XSS) vulnerability in the Ad-minister plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the key parameter in a delete action to wp-admin/tools.php. | |||
| CVE-2013-6992 | 0.00 | — | 0.01 | Jan 3, 2014 | Cross-site request forgery (CSRF) vulnerability in askapache-firefox-adsense.php in the AskApache Firefox Adsense plugin 3.0 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS)… | |||
| CVE-2013-6991 | 0.00 | — | 0.02 | Jan 3, 2014 | Cross-site scripting (XSS) vulnerability in the WP-Cron Dashboard plugin 1.1.5 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the procname parameter to wp-admin/tools.php. | |||
| CVE-2013-7129 | 0.00 | — | 0.02 | Dec 17, 2013 | Cross-site scripting (XSS) vulnerability in ThemeBeans Blooog theme 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the jQuery parameter to assets/js/jplayer.swf. | |||
| CVE-2013-6342 | 0.00 | — | 0.02 | Nov 22, 2013 | Cross-site scripting (XSS) vulnerability in the Tweet Blender plugin before 4.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tb_tab_index parameter to wp-admin/options-general.php. | |||
| CVE-2013-3264 | 0.00 | — | 0.02 | Nov 5, 2013 | The WP Ultimate Email Marketer plugin 1.1.0 and possibly earlier for Wordpress does not properly restrict access to (1) list/edit.php and (2) campaign/editCampaign.php, which allows remote attackers to modify list or campaign data. | |||
| CVE-2013-3263 | 0.00 | — | 0.02 | Nov 5, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in the WP Ultimate Email Marketer plugin 1.1.0 and possibly earlier for Wordpress allow remote attackers to inject arbitrary web script or HTML via the (1) siteurl parameter to campaign/campaignone.php; the (2) action, (3)… | |||
| CVE-2013-2701 | 0.00 | — | 0.01 | Nov 1, 2013 | Cross-site request forgery (CSRF) vulnerability in the Social Sharing Toolkit plugin 2.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that manipulate plugin settings via unknown vectors. | |||
| CVE-2012-0827 | 0.00 | — | 0.01 | Oct 28, 2013 | The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read arbitrary private files that are associated with restricted fields via unspecified vectors. | |||
| CVE-2013-6281 | 0.00 | — | 0.05 | Oct 25, 2013 | Cross-site scripting (XSS) vulnerability in codebase/spreadsheet.php in the Spreadsheet (dhtmlxSpreadsheet) plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "page" parameter. | |||
| CVE-2013-6243 | 0.00 | — | 0.02 | Oct 23, 2013 | SQL injection vulnerability in the Landing Pages plugin 1.2.3, before 20131009, and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the "post" parameter to index.php. | |||
| CVE-2013-0736 | 0.00 | — | 0.01 | Oct 9, 2013 | Multiple cross-site request forgery (CSRF) vulnerabilities in the Mingle Forum plugin 1.0.34 and possibly earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) modify user privileges or (2) conduct cross-site scripting… | |||
| CVE-2013-6010 | 0.00 | — | 0.02 | Oct 3, 2013 | Cross-site scripting (XSS) vulnerability in the Comment Attachment plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Attachment field title." | |||
| CVE-2013-5963 | 0.00 | — | 0.04 | Sep 30, 2013 | Unrestricted file upload vulnerability in multi.php in Simple Dropbox Upload plugin before 1.8.8.1 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in… | |||
| CVE-2013-4626 | 0.00 | — | 0.02 | Sep 26, 2013 | Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php. | |||
| CVE-2013-5918 | 0.00 | — | 0.02 | Sep 23, 2013 | Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. | |||
| CVE-2013-5711 | 0.00 | — | 0.02 | Sep 17, 2013 | Cross-site scripting (XSS) vulnerability in admin/walkthrough/walkthrough.php in the Design Approval System plugin before 3.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the step parameter. | |||
| CVE-2013-5739 | 0.00 | — | 0.02 | Sep 12, 2013 | The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in… | |||
| CVE-2013-5738 | 0.00 | — | 0.02 | Sep 12, 2013 | The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks… | |||
| CVE-2013-4340 | 0.00 | — | 0.03 | Sep 12, 2013 | wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. | |||
| CVE-2013-4339 | 0.00 | — | 0.07 | Sep 12, 2013 | WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. | |||
| CVE-2013-4338 | 0.00 | — | 0.09 | Sep 12, 2013 | wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. | |||
| CVE-2013-5714 | 0.00 | — | 0.02 | Sep 9, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE:… | |||
| CVE-2013-3479 | 0.00 | — | 0.01 | Sep 5, 2013 | Cross-site request forgery (CSRF) vulnerability in the ShareThis plugin before 7.0.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings. | |||
| CVE-2013-5098 | 0.00 | — | 0.02 | Aug 9, 2013 | Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the sort parameter, a different vulnerability than CVE-2013-3262. |
- CVE-2014-2316Mar 9, 2014risk 0.00cvss —epss 0.02
SQL injection vulnerability in se_search_default in the Search Everything plugin before 7.0.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the s parameter to index.php. NOTE: some of these details are obtained from third party information.
- CVE-2014-2315Mar 9, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Thank You Counter Button plugin 1.8.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) thanks_caption, (2) thanks_caption_style, or (3) thanks_style parameter to…
- CVE-2013-3478Mar 5, 2014risk 0.00cvss —epss 0.02
SQL injection vulnerability in Apptha WordPress Video Gallery 2.0, 1.6, and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the playid parameter to index.php.
- CVE-2014-2040Mar 3, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the (1) callback_multicheck, (2) callback_radio, and (3) callback_wysiwygin functions in mfrh_class.settings-api.php in the Media File Renamer plugin 1.7.0 for WordPress allow remote authenticated users with permissions to…
- CVE-2013-3487Mar 3, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php.
- CVE-2014-1888Mar 1, 2014risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by…
- CVE-2012-6635Jan 21, 2014risk 0.00cvss —epss 0.02
wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft.
- CVE-2012-6634Jan 21, 2014risk 0.00cvss —epss 0.03
wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value.
- CVE-2012-6633Jan 21, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field.
- CVE-2011-5270Jan 21, 2014risk 0.00cvss —epss 0.02
wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role.
- CVE-2010-5297Jan 21, 2014risk 0.00cvss —epss 0.02
WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add…
- CVE-2010-5296Jan 21, 2014risk 0.00cvss —epss 0.02
wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.
- CVE-2010-5295Jan 21, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action.
- CVE-2010-5294Jan 21, 2014risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH…
- CVE-2010-5293Jan 21, 2014risk 0.00cvss —epss 0.03
wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match.
- CVE-2012-6630Jan 16, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Media Library Categories plugin 1.1.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) bulk parameter to media-library-categories/add.php or (2) q parameter to…
- CVE-2012-6629Jan 16, 2014risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the Newsletter Manager plugin 1.0.2 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change an email address or (2) conduct script insertion…
- CVE-2012-6628Jan 16, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Newsletter Manager plugin before 1.0.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) xyz_em_campName to admin/create_campaign.php or (2) admin/edit_campaign.php, (3) xyz_em_email…
- CVE-2012-6627Jan 16, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/test_mail.php in the Newsletter Manager plugin 1.0.2 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
- CVE-2012-6625Jan 16, 2014risk 0.00cvss —epss 0.05
SQL injection vulnerability in fs-admin/fs-admin.php in the ForumPress WP Forum Server plugin before 1.7.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the groupid parameter in an editgroup action.
- CVE-2012-6623Jan 16, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in fs-admin/wpf-add-forum.php in the ForumPress WP Forum Server plugin before 1.7.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the groupid parameter in an addforum action to wp-admin/admin.php.
- CVE-2012-6622Jan 16, 2014risk 0.00cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in fs-admin/fs-admin.php in the ForumPress WP Forum Server plugin before 1.7.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) groupid parameter in an editgroup action or (2) usergroup_id…
- CVE-2014-1232Jan 8, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Foliopress WYSIWYG plugin before 2.6.8.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2013-7279Jan 8, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in views/video-management/preview_video.php in the S3 Video plugin before 0.983 for WordPress allows remote attackers to inject arbitrary web script or HTML via the base parameter.
- CVE-2013-7276Jan 8, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in inc/raf_form.php in the Recommend to a friend plugin 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the current_url parameter.
- CVE-2013-6993Jan 3, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Ad-minister plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the key parameter in a delete action to wp-admin/tools.php.
- CVE-2013-6992Jan 3, 2014risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in askapache-firefox-adsense.php in the AskApache Firefox Adsense plugin 3.0 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS)…
- CVE-2013-6991Jan 3, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the WP-Cron Dashboard plugin 1.1.5 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the procname parameter to wp-admin/tools.php.
- CVE-2013-7129Dec 17, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in ThemeBeans Blooog theme 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the jQuery parameter to assets/js/jplayer.swf.
- CVE-2013-6342Nov 22, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Tweet Blender plugin before 4.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tb_tab_index parameter to wp-admin/options-general.php.
- CVE-2013-3264Nov 5, 2013risk 0.00cvss —epss 0.02
The WP Ultimate Email Marketer plugin 1.1.0 and possibly earlier for Wordpress does not properly restrict access to (1) list/edit.php and (2) campaign/editCampaign.php, which allows remote attackers to modify list or campaign data.
- CVE-2013-3263Nov 5, 2013risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the WP Ultimate Email Marketer plugin 1.1.0 and possibly earlier for Wordpress allow remote attackers to inject arbitrary web script or HTML via the (1) siteurl parameter to campaign/campaignone.php; the (2) action, (3)…
- CVE-2013-2701Nov 1, 2013risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Social Sharing Toolkit plugin 2.1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that manipulate plugin settings via unknown vectors.
- CVE-2012-0827Oct 28, 2013risk 0.00cvss —epss 0.01
The File module in Drupal 7.x before 7.11, when using unspecified field access modules, allows remote authenticated users to read arbitrary private files that are associated with restricted fields via unspecified vectors.
- CVE-2013-6281Oct 25, 2013risk 0.00cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in codebase/spreadsheet.php in the Spreadsheet (dhtmlxSpreadsheet) plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "page" parameter.
- CVE-2013-6243Oct 23, 2013risk 0.00cvss —epss 0.02
SQL injection vulnerability in the Landing Pages plugin 1.2.3, before 20131009, and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the "post" parameter to index.php.
- CVE-2013-0736Oct 9, 2013risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the Mingle Forum plugin 1.0.34 and possibly earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) modify user privileges or (2) conduct cross-site scripting…
- CVE-2013-6010Oct 3, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Comment Attachment plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Attachment field title."
- CVE-2013-5963Sep 30, 2013risk 0.00cvss —epss 0.04
Unrestricted file upload vulnerability in multi.php in Simple Dropbox Upload plugin before 1.8.8.1 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in…
- CVE-2013-4626Sep 26, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.
- CVE-2013-5918Sep 23, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
- CVE-2013-5711Sep 17, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/walkthrough/walkthrough.php in the Design Approval System plugin before 3.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the step parameter.
- CVE-2013-5739Sep 12, 2013risk 0.00cvss —epss 0.02
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in…
- CVE-2013-5738Sep 12, 2013risk 0.00cvss —epss 0.02
The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks…
- CVE-2013-4340Sep 12, 2013risk 0.00cvss —epss 0.03
wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter.
- CVE-2013-4339Sep 12, 2013risk 0.00cvss —epss 0.07
WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string.
- CVE-2013-4338Sep 12, 2013risk 0.00cvss —epss 0.09
wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.
- CVE-2013-5714Sep 9, 2013risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE:…
- CVE-2013-3479Sep 5, 2013risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the ShareThis plugin before 7.0.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.
- CVE-2013-5098Aug 9, 2013risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the sort parameter, a different vulnerability than CVE-2013-3262.
Page 649 of 655