Vendor CVEs
WordPress
All CVEs
32,708 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-1125 | 0.00 | — | 0.12 | Oct 8, 2012 | Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin before 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a PHP extension, then accessing it via a direct request to the file in… | |||
| CVE-2011-5207 | 0.00 | — | 0.05 | Oct 4, 2012 | Cross-site scripting (XSS) vulnerability in admin/OptionsPostsList.php in the TheCartPress plugin for WordPress before 1.1.6 before 2011-12-31 allows remote attackers to inject arbitrary web script or HTML via the tcp_name_post_XXXXX parameter. | |||
| CVE-2012-4448 | 0.00 | — | 0.01 | Sep 28, 2012 | Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. | |||
| CVE-2011-5194 | 0.00 | — | 0.02 | Sep 23, 2012 | Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin before 1.4.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the domain parameter, a different vulnerability than CVE-2011-5193. | |||
| CVE-2011-5191 | 0.00 | — | 0.02 | Sep 23, 2012 | Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5192. | |||
| CVE-2012-1625 | 0.00 | — | 0.01 | Sep 20, 2012 | Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via… | |||
| CVE-2012-4422 | 0.00 | — | 0.02 | Sep 14, 2012 | wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin… | |||
| CVE-2012-4421 | 0.00 | — | 0.02 | Sep 14, 2012 | The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the… | |||
| CVE-2010-5106 | 0.00 | — | 0.02 | Sep 14, 2012 | The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. | |||
| CVE-2012-4874 | 0.00 | — | 0.03 | Sep 6, 2012 | Unspecified vulnerability in the Another WordPress Classifieds Plugin before 2.0 for WordPress has unknown impact and attack vectors related to "image uploads." | |||
| CVE-2012-2109 | 0.00 | — | 0.03 | Sep 4, 2012 | SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter action. | |||
| CVE-2011-5128 | 0.00 | — | 0.02 | Aug 29, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize plugin before 1.7.22 for WordPress allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, or (3)… | |||
| CVE-2011-5104 | 0.00 | — | 0.02 | Aug 23, 2012 | Cross-site scripting (XSS) vulnerability in wpsc-admin/display-sales-logs.php in WP e-Commerce plugin 3.8.7.1 and possibly earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the custom_text parameter. NOTE: some of these details are… | |||
| CVE-2012-3434 | 0.00 | — | 0.02 | Aug 15, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in userperspan.php in the Count Per Day module before 3.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) datemin, or (3) datemax parameter. | |||
| CVE-2012-4332 | 0.00 | — | 0.02 | Aug 14, 2012 | The ShareYourCart plugin 1.7.1 for WordPress allows remote attackers to obtain the installation path via unspecified vectors related to the SDK. | |||
| CVE-2012-4327 | 0.00 | — | 0.02 | Aug 14, 2012 | Unspecified vulnerability in the Image News slider plugin before 3.3 for WordPress has unspecified impact and remote attack vectors. | |||
| CVE-2012-4283 | 0.00 | — | 0.02 | Aug 13, 2012 | Cross-site scripting (XSS) vulnerability in the Login With Ajax plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter. | |||
| CVE-2012-4273 | 0.00 | — | 0.06 | Aug 13, 2012 | Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter. | |||
| CVE-2012-4272 | 0.00 | — | 0.02 | Aug 13, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "processing of the buttons of Xing and Pinterest". | |||
| CVE-2012-4271 | 0.00 | — | 0.02 | Aug 13, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wordpress-admin.php in the Bad Behavior plugin before 2.0.47 and 2.2.x before 2.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) httpbl_key, (3)… | |||
| CVE-2012-4268 | 0.00 | — | 0.02 | Aug 13, 2012 | Cross-site scripting (XSS) vulnerability in bulletproof-security/admin/options.php in the BulletProof Security plugin before .47.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_ACCEPT_ENCODING header. | |||
| CVE-2012-4264 | 0.00 | — | 0.02 | Aug 13, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "server variables," a different vulnerability… | |||
| CVE-2012-4263 | 0.00 | — | 0.02 | Aug 13, 2012 | Cross-site scripting (XSS) vulnerability in inc/admin/content.php in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_USER_AGENT header. | |||
| CVE-2012-4256 | 0.00 | — | 0.01 | Aug 13, 2012 | The jNews (com_jnews) component 7.5.1 for Joomla! allows remote attackers to obtain sensitive information via the emailsearch parameter, which reveals the installation path in an error message. | |||
| CVE-2012-3385 | 0.00 | — | 0.02 | Jul 22, 2012 | WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors. | |||
| CVE-2012-3384 | 0.00 | — | 0.01 | Jul 22, 2012 | Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||
| CVE-2012-3383 | 0.00 | — | 0.03 | Jul 22, 2012 | The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct… | |||
| CVE-2012-4033 | 0.00 | — | 0.03 | Jul 18, 2012 | Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors. | |||
| CVE-2011-4957 | 0.00 | — | 0.03 | Jun 27, 2012 | The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many… | |||
| CVE-2011-4956 | 0.00 | — | 0.03 | Jun 27, 2012 | Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2012-2633 | 0.00 | — | 0.02 | Jun 15, 2012 | Cross-site scripting (XSS) vulnerability in wassup.php in the WassUp plugin before 1.8.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header. | |||
| CVE-2012-2759 | 0.00 | — | 0.02 | May 22, 2012 | Cross-site scripting (XSS) vulnerability in login-with-ajax.php in the Login With Ajax (aka login-with-ajax) plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter in a lostpassword action to wp-login.php. | |||
| CVE-2012-2920 | 0.00 | — | 0.02 | May 21, 2012 | Cross-site scripting (XSS) vulnerability in the userphoto_options_page function in user-photo.php in the User Photo plugin before 0.9.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to wp-admin/options-general.php. NOTE: some… | |||
| CVE-2012-2916 | 0.00 | — | 0.02 | May 21, 2012 | Cross-site scripting (XSS) vulnerability in sabre_class_admin.php in the SABRE plugin before 2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the active_option parameter to wp-admin/tools.php. | |||
| CVE-2012-2912 | 0.00 | — | 0.02 | May 21, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in the LeagueManager plugin 3.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter in the show-league page or (2) season parameter in the team page to wp-admin/admin.php. | |||
| CVE-2012-1936 | 0.00 | — | 0.03 | May 3, 2012 | The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and… | |||
| CVE-2012-2404 | 0.00 | — | 0.03 | Apr 21, 2012 | wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | |||
| CVE-2012-2403 | 0.00 | — | 0.03 | Apr 21, 2012 | wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | |||
| CVE-2012-2402 | 0.00 | — | 0.03 | Apr 21, 2012 | wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. | |||
| CVE-2012-2401 | 0.00 | — | 0.05 | Apr 21, 2012 | Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. | |||
| CVE-2012-2400 | 0.00 | — | 0.03 | Apr 21, 2012 | Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors. | |||
| CVE-2012-2399 | 0.00 | — | 0.09 | Apr 21, 2012 | Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a… | |||
| CVE-2012-1786 | 0.00 | — | 0.02 | Mar 19, 2012 | The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors. | |||
| CVE-2012-1785 | 0.00 | — | 0.03 | Mar 19, 2012 | kg_callffmpeg.php in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to execute arbitrary commands via unspecified vectors. | |||
| CVE-2011-5082 | 0.00 | — | 0.02 | Mar 19, 2012 | Cross-site scripting (XSS) vulnerability in the s2Member Pro plugin before 111220 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s2member_pro_authnet_checkout[coupon] parameter (aka Coupon Code field). | |||
| CVE-2012-1205 | 0.00 | — | 0.25 | Feb 24, 2012 | PHP remote file inclusion vulnerability in relocate-upload.php in Relocate Upload plugin before 0.20 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter. | |||
| CVE-2012-1068 | 0.00 | — | 0.02 | Feb 14, 2012 | Cross-site scripting (XSS) vulnerability in the rc_ajax function in core.php in the WP-RecentComments plugin before 2.0.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter, related to AJAX paging. | |||
| CVE-2012-1067 | 0.00 | — | 0.02 | Feb 14, 2012 | SQL injection vulnerability in the WP-RecentComments plugin 2.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter in an rc-content action to index.php. NOTE: the provenance of this information is unknown; the details are obtained… | |||
| CVE-2012-0937 | 0.00 | — | 0.08 | Jan 30, 2012 | wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service… | |||
| CVE-2012-0782 | 0.00 | — | 0.04 | Jan 30, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor… |
- CVE-2012-1125Oct 8, 2012risk 0.00cvss —epss 0.12
Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin before 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a PHP extension, then accessing it via a direct request to the file in…
- CVE-2011-5207Oct 4, 2012risk 0.00cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in admin/OptionsPostsList.php in the TheCartPress plugin for WordPress before 1.1.6 before 2011-12-31 allows remote attackers to inject arbitrary web script or HTML via the tcp_name_post_XXXXX parameter.
- CVE-2012-4448Sep 28, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.
- CVE-2011-5194Sep 23, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin before 1.4.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the domain parameter, a different vulnerability than CVE-2011-5193.
- CVE-2011-5191Sep 23, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5192.
- CVE-2012-1625Sep 20, 2012risk 0.00cvss —epss 0.01
Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via…
- CVE-2012-4422Sep 14, 2012risk 0.00cvss —epss 0.02
wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin…
- CVE-2012-4421Sep 14, 2012risk 0.00cvss —epss 0.02
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the…
- CVE-2010-5106Sep 14, 2012risk 0.00cvss —epss 0.02
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role.
- CVE-2012-4874Sep 6, 2012risk 0.00cvss —epss 0.03
Unspecified vulnerability in the Another WordPress Classifieds Plugin before 2.0 for WordPress has unknown impact and attack vectors related to "image uploads."
- CVE-2012-2109Sep 4, 2012risk 0.00cvss —epss 0.03
SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter action.
- CVE-2011-5128Aug 29, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize plugin before 1.7.22 for WordPress allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, or (3)…
- CVE-2011-5104Aug 23, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wpsc-admin/display-sales-logs.php in WP e-Commerce plugin 3.8.7.1 and possibly earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the custom_text parameter. NOTE: some of these details are…
- CVE-2012-3434Aug 15, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in userperspan.php in the Count Per Day module before 3.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) datemin, or (3) datemax parameter.
- CVE-2012-4332Aug 14, 2012risk 0.00cvss —epss 0.02
The ShareYourCart plugin 1.7.1 for WordPress allows remote attackers to obtain the installation path via unspecified vectors related to the SDK.
- CVE-2012-4327Aug 14, 2012risk 0.00cvss —epss 0.02
Unspecified vulnerability in the Image News slider plugin before 3.3 for WordPress has unspecified impact and remote attack vectors.
- CVE-2012-4283Aug 13, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Login With Ajax plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter.
- CVE-2012-4273Aug 13, 2012risk 0.00cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter.
- CVE-2012-4272Aug 13, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "processing of the buttons of Xing and Pinterest".
- CVE-2012-4271Aug 13, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wordpress-admin.php in the Bad Behavior plugin before 2.0.47 and 2.2.x before 2.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) httpbl_key, (3)…
- CVE-2012-4268Aug 13, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in bulletproof-security/admin/options.php in the BulletProof Security plugin before .47.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_ACCEPT_ENCODING header.
- CVE-2012-4264Aug 13, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "server variables," a different vulnerability…
- CVE-2012-4263Aug 13, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in inc/admin/content.php in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_USER_AGENT header.
- CVE-2012-4256Aug 13, 2012risk 0.00cvss —epss 0.01
The jNews (com_jnews) component 7.5.1 for Joomla! allows remote attackers to obtain sensitive information via the emailsearch parameter, which reveals the installation path in an error message.
- CVE-2012-3385Jul 22, 2012risk 0.00cvss —epss 0.02
WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors.
- CVE-2012-3384Jul 22, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- CVE-2012-3383Jul 22, 2012risk 0.00cvss —epss 0.03
The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct…
- CVE-2012-4033Jul 18, 2012risk 0.00cvss —epss 0.03
Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors.
- CVE-2011-4957Jun 27, 2012risk 0.00cvss —epss 0.03
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many…
- CVE-2011-4956Jun 27, 2012risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2012-2633Jun 15, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wassup.php in the WassUp plugin before 1.8.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.
- CVE-2012-2759May 22, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in login-with-ajax.php in the Login With Ajax (aka login-with-ajax) plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter in a lostpassword action to wp-login.php.
- CVE-2012-2920May 21, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the userphoto_options_page function in user-photo.php in the User Photo plugin before 0.9.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to wp-admin/options-general.php. NOTE: some…
- CVE-2012-2916May 21, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in sabre_class_admin.php in the SABRE plugin before 2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the active_option parameter to wp-admin/tools.php.
- CVE-2012-2912May 21, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the LeagueManager plugin 3.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter in the show-league page or (2) season parameter in the team page to wp-admin/admin.php.
- CVE-2012-1936May 3, 2012risk 0.00cvss —epss 0.03
The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and…
- CVE-2012-2404Apr 21, 2012risk 0.00cvss —epss 0.03
wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
- CVE-2012-2403Apr 21, 2012risk 0.00cvss —epss 0.03
wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
- CVE-2012-2402Apr 21, 2012risk 0.00cvss —epss 0.03
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors.
- CVE-2012-2401Apr 21, 2012risk 0.00cvss —epss 0.05
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.
- CVE-2012-2400Apr 21, 2012risk 0.00cvss —epss 0.03
Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.
- CVE-2012-2399Apr 21, 2012risk 0.00cvss —epss 0.09
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a…
- CVE-2012-1786Mar 19, 2012risk 0.00cvss —epss 0.02
The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors.
- CVE-2012-1785Mar 19, 2012risk 0.00cvss —epss 0.03
kg_callffmpeg.php in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to execute arbitrary commands via unspecified vectors.
- CVE-2011-5082Mar 19, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the s2Member Pro plugin before 111220 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s2member_pro_authnet_checkout[coupon] parameter (aka Coupon Code field).
- CVE-2012-1205Feb 24, 2012risk 0.00cvss —epss 0.25
PHP remote file inclusion vulnerability in relocate-upload.php in Relocate Upload plugin before 0.20 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.
- CVE-2012-1068Feb 14, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the rc_ajax function in core.php in the WP-RecentComments plugin before 2.0.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter, related to AJAX paging.
- CVE-2012-1067Feb 14, 2012risk 0.00cvss —epss 0.02
SQL injection vulnerability in the WP-RecentComments plugin 2.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter in an rc-content action to index.php. NOTE: the provenance of this information is unknown; the details are obtained…
- CVE-2012-0937Jan 30, 2012risk 0.00cvss —epss 0.08
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service…
- CVE-2012-0782Jan 30, 2012risk 0.00cvss —epss 0.04
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor…
Page 651 of 655