Vendor CVEs
WordPress
All CVEs
32,708 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2011-4899 | 0.00 | — | 0.09 | Jan 30, 2012 | wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and… | |||
| CVE-2011-4898 | 0.00 | — | 0.10 | Jan 30, 2012 | wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct… | |||
| CVE-2012-0934 | 0.00 | — | 0.08 | Jan 29, 2012 | PHP remote file inclusion vulnerability in ajax/savetag.php in the Theme Tuner plugin for WordPress before 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the tt-abspath parameter. | |||
| CVE-2012-0898 | 0.00 | — | 0.03 | Jan 20, 2012 | Directory traversal vulnerability in meb_download.php in the myEASYbackup plugin 1.0.8.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dwn_file parameter. | |||
| CVE-2012-0896 | 0.00 | — | 0.25 | Jan 20, 2012 | Absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter. | |||
| CVE-2012-0895 | 0.00 | — | 0.06 | Jan 20, 2012 | Cross-site scripting (XSS) vulnerability in map/map.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map parameter. | |||
| CVE-2012-0287 | 0.00 | — | 0.03 | Jan 6, 2012 | Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the… | |||
| CVE-2011-5051 | 0.00 | — | 0.04 | Jan 4, 2012 | Multiple unrestricted file upload vulnerabilities in the WP Symposium plugin before 11.12.24 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension using (1) uploadify/upload_admin_avatar.php or (2)… | |||
| CVE-2011-3841 | 0.00 | — | 0.02 | Dec 27, 2011 | Cross-site scripting (XSS) vulnerability in uploadify/get_profile_avatar.php in the WP Symposium plugin before 11.12.08 for WordPress allows remote attackers to inject arbitrary web script or HTML via the uid parameter. | |||
| CVE-2011-4669 | 0.00 | — | 0.02 | Dec 2, 2011 | SQL injection vulnerability in wp-users.php in WordPress Users plugin 1.3 and possibly earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the uid parameter to index.php. | |||
| CVE-2011-4568 | 0.00 | — | 0.02 | Nov 29, 2011 | Cross-site scripting (XSS) vulnerability in view/frontend-head.php in the Flowplayer plugin before 1.2.12 for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI. | |||
| CVE-2011-4562 | 0.00 | — | 0.02 | Nov 28, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in (1) view/admin/log_item.php and (2) view/admin/log_item_details.php in the Redirection plugin 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Referer HTTP header in a request to a… | |||
| CVE-2011-3981 | 0.00 | — | 0.10 | Oct 4, 2011 | PHP remote file inclusion vulnerability in actions.php in the Allwebmenus plugin 1.1.3 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter. | |||
| CVE-2011-3864 | 0.00 | — | 0.02 | Sep 28, 2011 | Cross-site scripting (XSS) vulnerability in the The Erudite theme before 2.7.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. | |||
| CVE-2011-3857 | 0.00 | — | 0.02 | Sep 28, 2011 | Cross-site scripting (XSS) vulnerability in the Antisnews theme before 1.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. | |||
| CVE-2011-3854 | 0.00 | — | 0.02 | Sep 28, 2011 | Cross-site scripting (XSS) vulnerability in the ZenLite theme before 4.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. | |||
| CVE-2011-3853 | 0.00 | — | 0.02 | Sep 28, 2011 | Cross-site scripting (XSS) vulnerability in the Hybrid theme before 0.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. | |||
| CVE-2011-3851 | 0.00 | — | 0.02 | Sep 28, 2011 | Cross-site scripting (XSS) vulnerability in the News theme before 0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. | |||
| CVE-2011-3818 | 0.00 | — | 0.02 | Sep 24, 2011 | WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files. | |||
| CVE-2011-3130 | 0.00 | — | 0.02 | Aug 10, 2011 | wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection. | |||
| CVE-2011-3129 | 0.00 | — | 0.02 | Aug 10, 2011 | The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames. | |||
| CVE-2011-3128 | 0.00 | — | 0.02 | Aug 10, 2011 | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php. | |||
| CVE-2011-3127 | 0.00 | — | 0.02 | Aug 10, 2011 | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. | |||
| CVE-2011-3126 | 0.00 | — | 0.02 | Aug 10, 2011 | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects. | |||
| CVE-2011-3125 | 0.00 | — | 0.02 | Aug 10, 2011 | Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening." | |||
| CVE-2011-3122 | 0.00 | — | 0.03 | Aug 10, 2011 | Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security." | |||
| CVE-2010-4779 | 0.00 | — | 0.02 | Apr 7, 2011 | Cross-site scripting (XSS) vulnerability in lib/includes/auth.inc.php in the WPtouch plugin 1.9.19.4 and 1.9.20 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wptouch_settings parameter to include/adsense-new.php. NOTE: some of these… | |||
| CVE-2011-0760 | 0.00 | — | 0.01 | Mar 28, 2011 | Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting… | |||
| CVE-2011-0759 | 0.00 | — | 0.01 | Mar 22, 2011 | Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration page in the Recaptcha (aka WP-reCAPTCHA) plugin 2.9.8.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that disable the CAPTCHA requirement or insert… | |||
| CVE-2011-0701 | 0.00 | — | 0.03 | Mar 14, 2011 | wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. | |||
| CVE-2011-0700 | 0.00 | — | 0.03 | Mar 14, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4)… | |||
| CVE-2011-0641 | 0.00 | — | 0.02 | Jan 25, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. NOTE: the… | |||
| CVE-2010-4536 | 0.00 | — | 0.03 | Jan 3, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4)… | |||
| CVE-2010-4637 | 0.00 | — | 0.02 | Dec 30, 2010 | Cross-site scripting (XSS) vulnerability in feedlist/handler_image.php in the FeedList plugin 2.61.01 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter. | |||
| CVE-2010-4630 | 0.00 | — | 0.02 | Dec 30, 2010 | Cross-site scripting (XSS) vulnerability in pages/admin/surveys/create.php in the WP Survey And Quiz Tool plugin 1.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. | |||
| CVE-2010-4277 | 0.00 | — | 0.02 | Dec 22, 2010 | Cross-site scripting (XSS) vulnerability in lembedded-video.php in the Embedded Video plugin 4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the content parameter to wp-admin/post.php. | |||
| CVE-2010-4257 | 0.00 | — | 0.03 | Dec 7, 2010 | SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. | |||
| CVE-2010-4403 | 0.00 | — | 0.02 | Dec 6, 2010 | The Register Plus plugin 3.5.1 and earlier for WordPress allows remote attackers to obtain sensitive information via a direct request to (1) dash_widget.php and (2) register-plus.php, which reveals the installation path in an error message. | |||
| CVE-2010-3423 | 0.00 | — | 0.01 | Sep 16, 2010 | SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method. | |||
| CVE-2010-0682 | 0.00 | — | 0.10 | Feb 23, 2010 | WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter. | |||
| CVE-2009-4169 | 0.00 | — | 0.02 | Dec 2, 2009 | Cross-site scripting (XSS) vulnerability in wp-cumulus.php in the WP-Cumulus Plug-in before 1.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2009-3891 | 0.00 | — | 0.02 | Nov 17, 2009 | Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable). | |||
| CVE-2009-3890 | 0.00 | — | 0.08 | Nov 17, 2009 | Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code… | |||
| CVE-2009-3622 | 0.00 | — | 0.06 | Oct 23, 2009 | Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8"… | |||
| CVE-2008-7175 | 0.00 | — | 0.01 | Sep 8, 2009 | Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in NextGEN Gallery 0.96 and earlier plugin for Wordpress allows remote attackers to inject arbitrary web script or HTML via the picture description field in a page edit action. | |||
| CVE-2009-2854 | 0.00 | — | 0.02 | Aug 18, 2009 | Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5)… | |||
| CVE-2009-2853 | 0.00 | — | 0.05 | Aug 18, 2009 | Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and… | |||
| CVE-2009-2851 | 0.00 | — | 0.08 | Aug 18, 2009 | Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL. | |||
| CVE-2009-2762 | 0.00 | — | 0.20 | Aug 13, 2009 | wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. | |||
| CVE-2009-2432 | 0.00 | — | 0.03 | Jul 10, 2009 | WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. |
- CVE-2011-4899Jan 30, 2012risk 0.00cvss —epss 0.09
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and…
- CVE-2011-4898Jan 30, 2012risk 0.00cvss —epss 0.10
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct…
- CVE-2012-0934Jan 29, 2012risk 0.00cvss —epss 0.08
PHP remote file inclusion vulnerability in ajax/savetag.php in the Theme Tuner plugin for WordPress before 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the tt-abspath parameter.
- CVE-2012-0898Jan 20, 2012risk 0.00cvss —epss 0.03
Directory traversal vulnerability in meb_download.php in the myEASYbackup plugin 1.0.8.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dwn_file parameter.
- CVE-2012-0896Jan 20, 2012risk 0.00cvss —epss 0.25
Absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter.
- CVE-2012-0895Jan 20, 2012risk 0.00cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in map/map.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map parameter.
- CVE-2012-0287Jan 6, 2012risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the…
- CVE-2011-5051Jan 4, 2012risk 0.00cvss —epss 0.04
Multiple unrestricted file upload vulnerabilities in the WP Symposium plugin before 11.12.24 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension using (1) uploadify/upload_admin_avatar.php or (2)…
- CVE-2011-3841Dec 27, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in uploadify/get_profile_avatar.php in the WP Symposium plugin before 11.12.08 for WordPress allows remote attackers to inject arbitrary web script or HTML via the uid parameter.
- CVE-2011-4669Dec 2, 2011risk 0.00cvss —epss 0.02
SQL injection vulnerability in wp-users.php in WordPress Users plugin 1.3 and possibly earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the uid parameter to index.php.
- CVE-2011-4568Nov 29, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in view/frontend-head.php in the Flowplayer plugin before 1.2.12 for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI.
- CVE-2011-4562Nov 28, 2011risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in (1) view/admin/log_item.php and (2) view/admin/log_item_details.php in the Redirection plugin 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the Referer HTTP header in a request to a…
- CVE-2011-3981Oct 4, 2011risk 0.00cvss —epss 0.10
PHP remote file inclusion vulnerability in actions.php in the Allwebmenus plugin 1.1.3 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.
- CVE-2011-3864Sep 28, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the The Erudite theme before 2.7.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
- CVE-2011-3857Sep 28, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Antisnews theme before 1.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
- CVE-2011-3854Sep 28, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the ZenLite theme before 4.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
- CVE-2011-3853Sep 28, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Hybrid theme before 0.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
- CVE-2011-3851Sep 28, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the News theme before 0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
- CVE-2011-3818Sep 24, 2011risk 0.00cvss —epss 0.02
WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files.
- CVE-2011-3130Aug 10, 2011risk 0.00cvss —epss 0.02
wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection.
- CVE-2011-3129Aug 10, 2011risk 0.00cvss —epss 0.02
The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames.
- CVE-2011-3128Aug 10, 2011risk 0.00cvss —epss 0.02
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php.
- CVE-2011-3127Aug 10, 2011risk 0.00cvss —epss 0.02
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.
- CVE-2011-3126Aug 10, 2011risk 0.00cvss —epss 0.02
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects.
- CVE-2011-3125Aug 10, 2011risk 0.00cvss —epss 0.02
Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening."
- CVE-2011-3122Aug 10, 2011risk 0.00cvss —epss 0.03
Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security."
- CVE-2010-4779Apr 7, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in lib/includes/auth.inc.php in the WPtouch plugin 1.9.19.4 and 1.9.20 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wptouch_settings parameter to include/adsense-new.php. NOTE: some of these…
- CVE-2011-0760Mar 28, 2011risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting…
- CVE-2011-0759Mar 22, 2011risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration page in the Recaptcha (aka WP-reCAPTCHA) plugin 2.9.8.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that disable the CAPTCHA requirement or insert…
- CVE-2011-0701Mar 14, 2011risk 0.00cvss —epss 0.03
wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter.
- CVE-2011-0700Mar 14, 2011risk 0.00cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4)…
- CVE-2011-0641Jan 25, 2011risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. NOTE: the…
- CVE-2010-4536Jan 3, 2011risk 0.00cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4)…
- CVE-2010-4637Dec 30, 2010risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in feedlist/handler_image.php in the FeedList plugin 2.61.01 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.
- CVE-2010-4630Dec 30, 2010risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in pages/admin/surveys/create.php in the WP Survey And Quiz Tool plugin 1.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.
- CVE-2010-4277Dec 22, 2010risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in lembedded-video.php in the Embedded Video plugin 4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the content parameter to wp-admin/post.php.
- CVE-2010-4257Dec 7, 2010risk 0.00cvss —epss 0.03
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field.
- CVE-2010-4403Dec 6, 2010risk 0.00cvss —epss 0.02
The Register Plus plugin 3.5.1 and earlier for WordPress allows remote attackers to obtain sensitive information via a direct request to (1) dash_widget.php and (2) register-plus.php, which reveals the installation path in an error message.
- CVE-2010-3423Sep 16, 2010risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Yr Weatherdata module for Drupal 6.x before 6.x-1.6 allows remote attackers to execute arbitrary SQL commands via the sorting method.
- CVE-2010-0682Feb 23, 2010risk 0.00cvss —epss 0.10
WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter.
- CVE-2009-4169Dec 2, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wp-cumulus.php in the WP-Cumulus Plug-in before 1.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2009-3891Nov 17, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable).
- CVE-2009-3890Nov 17, 2009risk 0.00cvss —epss 0.08
Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code…
- CVE-2009-3622Oct 23, 2009risk 0.00cvss —epss 0.06
Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8"…
- CVE-2008-7175Sep 8, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in NextGEN Gallery 0.96 and earlier plugin for Wordpress allows remote attackers to inject arbitrary web script or HTML via the picture description field in a page edit action.
- CVE-2009-2854Aug 18, 2009risk 0.00cvss —epss 0.02
Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5)…
- CVE-2009-2853Aug 18, 2009risk 0.00cvss —epss 0.05
Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and…
- CVE-2009-2851Aug 18, 2009risk 0.00cvss —epss 0.08
Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.
- CVE-2009-2762Aug 13, 2009risk 0.00cvss —epss 0.20
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
- CVE-2009-2432Jul 10, 2009risk 0.00cvss —epss 0.03
WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message.
Page 652 of 655