Vendor CVEs
WordPress
All CVEs
33,183 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-0615 | 0.00 | — | 0.03 | Feb 6, 2008 | Directory traversal vulnerability in wp-admin/admin.php in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allows remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) folder and (2) file parameters. | |||
| CVE-2008-0618 | 0.00 | — | 0.02 | Feb 6, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) gbname, (2) gbemail, (3) gburl, and (4) gbmsg parameters to unspecified programs. NOTE: the… | |||
| CVE-2008-0560 | 0.00 | — | 0.02 | Feb 4, 2008 | PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the tm parameter. NOTE: CVE disputes this issue for 7.3, since there is no tm parameter, and… | |||
| CVE-2008-0508 | 0.00 | — | 0.01 | Jan 31, 2008 | Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka dean_pm_config[oldstructure]) configuration setting as administrators via the… | |||
| CVE-2008-0194 | 0.00 | — | 0.04 | Jan 10, 2008 | Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to… | |||
| CVE-2008-0192 | 0.00 | — | 0.05 | Jan 10, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php. | |||
| CVE-2007-6677 | 0.00 | — | 0.01 | Jan 10, 2008 | Cross-site scripting (XSS) vulnerability in Peter's Random Anti-Spam Image 0.2.4 and earlier plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the comment field in the comment form. | |||
| CVE-2008-0195 | 0.00 | — | 0.03 | Jan 10, 2008 | WordPress 2.0.11 and earlier allows remote attackers to obtain sensitive information via an empty value of the page parameter to certain PHP scripts under wp-admin/, which reveals the path in various error messages. | |||
| CVE-2008-0196 | 0.00 | — | 0.03 | Jan 10, 2008 | Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under wp-admin/ or (2) the import parameter to wp-admin/admin.php, as demonstrated by… | |||
| CVE-2008-0197 | 0.00 | — | 0.02 | Jan 10, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) wpcf_email, (2) wpcf_subject, (3)… | |||
| CVE-2008-0198 | 0.00 | — | 0.01 | Jan 10, 2008 | Multiple cross-site request forgery (CSRF) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to perform actions as administrators via the (1) wpcf_question, (2) wpcf_success_msg, or… | |||
| CVE-2008-0203 | 0.00 | — | 0.02 | Jan 10, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in cryptographp/admin.php in the Cryptographp 1.2 and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) cryptwidth, (2) cryptheight, (3) bgimg, (4) charR, (5) charG, (6)… | |||
| CVE-2008-0204 | 0.00 | — | 0.02 | Jan 10, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in math-comment-spam-protection.php in the Math Comment Spam Protection 2.1 and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) mcsp_opt_msg_no_answer or (2)… | |||
| CVE-2008-0205 | 0.00 | — | 0.02 | Jan 10, 2008 | Multiple cross-site request forgery (CSRF) vulnerabilities in math-comment-spam-protection.php in the Math Comment Spam Protection 2.1 and earlier plugin for WordPress allow remote attackers to perform actions as administrators via the (1) mcsp_opt_msg_no_answer or (2)… | |||
| CVE-2008-0206 | 0.00 | — | 0.02 | Jan 10, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in captcha\captcha.php in the Captcha! 2.5d and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) captcha_ttffolder, (2) captcha_numchars, (3) captcha_ttfrange, or (4)… | |||
| CVE-2008-0191 | 0.00 | — | 0.03 | Jan 10, 2008 | WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive information via an invalid p parameter in an rss2 action to the default URI, which reveals the full path and the SQL database structure. | |||
| CVE-2007-5105 | 0.00 | — | 0.04 | Sep 26, 2007 | Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter. | |||
| CVE-2007-5106 | 0.00 | — | 0.02 | Sep 26, 2007 | Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter. | |||
| CVE-2007-4893 | 0.00 | — | 0.02 | Sep 14, 2007 | wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2)… | |||
| CVE-2007-4894 | 0.00 | — | 0.04 | Sep 14, 2007 | Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other… | |||
| CVE-2007-4544 | 0.00 | — | 0.01 | Aug 27, 2007 | Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Username field). | |||
| CVE-2007-4483 | 0.00 | — | 0.02 | Aug 22, 2007 | Cross-site scripting (XSS) vulnerability in index.php in the WordPress Classic 1.5 theme in WordPress before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF). | |||
| CVE-2007-4481 | 0.00 | — | 0.02 | Aug 22, 2007 | Cross-site scripting (XSS) vulnerability in index.php in the (1) Blix 0.9.1 and (2) Blix 0.9.1 Rus themes for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF). | |||
| CVE-2007-4480 | 0.00 | — | 0.02 | Aug 22, 2007 | Cross-site scripting (XSS) vulnerability in index.php in the Sirius 1.0 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF). | |||
| CVE-2007-4166 | 0.00 | — | 0.02 | Aug 7, 2007 | Cross-site scripting (XSS) vulnerability in index.php in the Unnamed theme 1.217, and Special Edition (SE) 1.02, before 20070804 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757,… | |||
| CVE-2007-4165 | 0.00 | — | 0.03 | Aug 7, 2007 | Cross-site scripting (XSS) vulnerability in index.php in the Blue Memories theme 1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757 and CVE-2007-4014. NOTE: the provenance of this… | |||
| CVE-2007-4154 | 0.00 | — | 0.02 | Aug 3, 2007 | SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5)… | |||
| CVE-2007-4153 | 0.00 | — | 0.02 | Aug 3, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2) the opml_url parameter to… | |||
| CVE-2007-4139 | 0.00 | — | 0.02 | Aug 3, 2007 | Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. | |||
| CVE-2007-4014 | 0.00 | — | 0.03 | Jul 26, 2007 | Cross-site scripting (XSS) vulnerability in a certain index.php installation script related to the (1) Blix 0.9.1, (2) Blixed 1.0, and (3) BlixKrieg (Blix Krieg) 2.2 themes for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly… | |||
| CVE-2007-3639 | 0.00 | — | 0.02 | Jul 10, 2007 | WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1) the _wp_http_referer parameter to wp-pass.php, related to the wp_get_referer function in wp-includes/functions.php; and possibly other… | |||
| CVE-2007-3543 | 0.00 | — | 0.02 | Jul 3, 2007 | Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending… | |||
| CVE-2007-3544 | 0.00 | — | 0.02 | Jul 3, 2007 | Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom… | |||
| CVE-2007-3238 | 0.00 | — | 0.02 | Jun 15, 2007 | Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622.… | |||
| CVE-2007-3241 | 0.00 | — | 0.02 | Jun 15, 2007 | Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI. | |||
| CVE-2007-3239 | 0.00 | — | 0.03 | Jun 15, 2007 | Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. NOTE: this can be leveraged for PHP code execution in an… | |||
| CVE-2007-3240 | 0.00 | — | 0.03 | Jun 15, 2007 | Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an… | |||
| CVE-2007-2828 | 0.00 | — | 0.02 | May 22, 2007 | Cross-site request forgery (CSRF) vulnerability in adsense-deluxe.php in the AdSense-Deluxe 0.x plugin for WordPress allows remote attackers to perform unspecified actions as arbitrary users via unspecified vectors. | |||
| CVE-2007-2627 | 0.00 | — | 0.02 | May 11, 2007 | Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF), a different vulnerability than CVE-2007-1622. | |||
| CVE-2007-1893 | 0.00 | — | 0.01 | Apr 9, 2007 | xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." | |||
| CVE-2007-1894 | 0.00 | — | 0.03 | Apr 9, 2007 | Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function. | |||
| CVE-2007-1897 | 0.00 | — | 0.07 | Apr 9, 2007 | SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable. | |||
| CVE-2007-1732 | 0.00 | — | 0.02 | Mar 28, 2007 | Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are… | |||
| CVE-2007-1622 | 0.00 | — | 0.06 | Mar 23, 2007 | Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface,… | |||
| CVE-2007-1599 | 0.00 | — | 0.02 | Mar 22, 2007 | wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter. | |||
| CVE-2007-1409 | 0.00 | — | 0.02 | Mar 10, 2007 | WordPress allows remote attackers to obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message. | |||
| CVE-2006-7124 | 0.00 | — | 0.02 | Mar 6, 2007 | PHP remote file inclusion vulnerability in external/rssfeeds.php in BSQ Sitestats (component for Joomla) 1.8.0, and possibly other versions before 2.2.1, allows remote attackers to execute arbitrary PHP code via the baseDir parameter. | |||
| CVE-2007-1244 | 0.00 | — | 0.07 | Mar 3, 2007 | Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform… | |||
| CVE-2007-1230 | 0.00 | — | 0.02 | Mar 2, 2007 | Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049. | |||
| CVE-2007-1049 | 0.00 | — | 0.06 | Feb 21, 2007 | Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to… |
- CVE-2008-0615Feb 6, 2008risk 0.00cvss —epss 0.03
Directory traversal vulnerability in wp-admin/admin.php in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allows remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) folder and (2) file parameters.
- CVE-2008-0618Feb 6, 2008risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) gbname, (2) gbemail, (3) gburl, and (4) gbmsg parameters to unspecified programs. NOTE: the…
- CVE-2008-0560Feb 4, 2008risk 0.00cvss —epss 0.02
PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the tm parameter. NOTE: CVE disputes this issue for 7.3, since there is no tm parameter, and…
- CVE-2008-0508Jan 31, 2008risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka dean_pm_config[oldstructure]) configuration setting as administrators via the…
- CVE-2008-0194Jan 10, 2008risk 0.00cvss —epss 0.04
Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to…
- CVE-2008-0192Jan 10, 2008risk 0.00cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php.
- CVE-2007-6677Jan 10, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Peter's Random Anti-Spam Image 0.2.4 and earlier plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the comment field in the comment form.
- CVE-2008-0195Jan 10, 2008risk 0.00cvss —epss 0.03
WordPress 2.0.11 and earlier allows remote attackers to obtain sensitive information via an empty value of the page parameter to certain PHP scripts under wp-admin/, which reveals the path in various error messages.
- CVE-2008-0196Jan 10, 2008risk 0.00cvss —epss 0.03
Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under wp-admin/ or (2) the import parameter to wp-admin/admin.php, as demonstrated by…
- CVE-2008-0197Jan 10, 2008risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) wpcf_email, (2) wpcf_subject, (3)…
- CVE-2008-0198Jan 10, 2008risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to perform actions as administrators via the (1) wpcf_question, (2) wpcf_success_msg, or…
- CVE-2008-0203Jan 10, 2008risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in cryptographp/admin.php in the Cryptographp 1.2 and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) cryptwidth, (2) cryptheight, (3) bgimg, (4) charR, (5) charG, (6)…
- CVE-2008-0204Jan 10, 2008risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in math-comment-spam-protection.php in the Math Comment Spam Protection 2.1 and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) mcsp_opt_msg_no_answer or (2)…
- CVE-2008-0205Jan 10, 2008risk 0.00cvss —epss 0.02
Multiple cross-site request forgery (CSRF) vulnerabilities in math-comment-spam-protection.php in the Math Comment Spam Protection 2.1 and earlier plugin for WordPress allow remote attackers to perform actions as administrators via the (1) mcsp_opt_msg_no_answer or (2)…
- CVE-2008-0206Jan 10, 2008risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in captcha\captcha.php in the Captcha! 2.5d and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) captcha_ttffolder, (2) captcha_numchars, (3) captcha_ttfrange, or (4)…
- CVE-2008-0191Jan 10, 2008risk 0.00cvss —epss 0.03
WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive information via an invalid p parameter in an rss2 action to the default URI, which reveals the full path and the SQL database structure.
- CVE-2007-5105Sep 26, 2007risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter.
- CVE-2007-5106Sep 26, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter.
- CVE-2007-4893Sep 14, 2007risk 0.00cvss —epss 0.02
wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2)…
- CVE-2007-4894Sep 14, 2007risk 0.00cvss —epss 0.04
Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other…
- CVE-2007-4544Aug 27, 2007risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Username field).
- CVE-2007-4483Aug 22, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in the WordPress Classic 1.5 theme in WordPress before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).
- CVE-2007-4481Aug 22, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in the (1) Blix 0.9.1 and (2) Blix 0.9.1 Rus themes for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).
- CVE-2007-4480Aug 22, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in the Sirius 1.0 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).
- CVE-2007-4166Aug 7, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in index.php in the Unnamed theme 1.217, and Special Edition (SE) 1.02, before 20070804 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757,…
- CVE-2007-4165Aug 7, 2007risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in index.php in the Blue Memories theme 1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757 and CVE-2007-4014. NOTE: the provenance of this…
- CVE-2007-4154Aug 3, 2007risk 0.00cvss —epss 0.02
SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5)…
- CVE-2007-4153Aug 3, 2007risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2) the opml_url parameter to…
- CVE-2007-4139Aug 3, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php.
- CVE-2007-4014Jul 26, 2007risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in a certain index.php installation script related to the (1) Blix 0.9.1, (2) Blixed 1.0, and (3) BlixKrieg (Blix Krieg) 2.2 themes for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly…
- CVE-2007-3639Jul 10, 2007risk 0.00cvss —epss 0.02
WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1) the _wp_http_referer parameter to wp-pass.php, related to the wp_get_referer function in wp-includes/functions.php; and possibly other…
- CVE-2007-3543Jul 3, 2007risk 0.00cvss —epss 0.02
Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending…
- CVE-2007-3544Jul 3, 2007risk 0.00cvss —epss 0.02
Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom…
- CVE-2007-3238Jun 15, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622.…
- CVE-2007-3241Jun 15, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI.
- CVE-2007-3239Jun 15, 2007risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. NOTE: this can be leveraged for PHP code execution in an…
- CVE-2007-3240Jun 15, 2007risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an…
- CVE-2007-2828May 22, 2007risk 0.00cvss —epss 0.02
Cross-site request forgery (CSRF) vulnerability in adsense-deluxe.php in the AdSense-Deluxe 0.x plugin for WordPress allows remote attackers to perform unspecified actions as arbitrary users via unspecified vectors.
- CVE-2007-2627May 11, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF), a different vulnerability than CVE-2007-1622.
- CVE-2007-1893Apr 9, 2007risk 0.00cvss —epss 0.01
xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post."
- CVE-2007-1894Apr 9, 2007risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function.
- CVE-2007-1897Apr 9, 2007risk 0.00cvss —epss 0.07
SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.
- CVE-2007-1732Mar 28, 2007risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are…
- CVE-2007-1622Mar 23, 2007risk 0.00cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface,…
- CVE-2007-1599Mar 22, 2007risk 0.00cvss —epss 0.02
wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter.
- CVE-2007-1409Mar 10, 2007risk 0.00cvss —epss 0.02
WordPress allows remote attackers to obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message.
- CVE-2006-7124Mar 6, 2007risk 0.00cvss —epss 0.02
PHP remote file inclusion vulnerability in external/rssfeeds.php in BSQ Sitestats (component for Joomla) 1.8.0, and possibly other versions before 2.2.1, allows remote attackers to execute arbitrary PHP code via the baseDir parameter.
- CVE-2007-1244Mar 3, 2007risk 0.00cvss —epss 0.07
Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform…
- CVE-2007-1230Mar 2, 2007risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049.
- CVE-2007-1049Feb 21, 2007risk 0.00cvss —epss 0.06
Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to…
Page 663 of 664