VYPR

Vendor CVEs

WordPress

All CVEs

33,183 total · sorted by risk
  • CVE-2007-0540Jan 29, 2007
    risk 0.00cvss epss 0.07

    WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data.

  • CVE-2007-0541Jan 29, 2007
    risk 0.00cvss epss 0.03

    WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local pathname, which triggers different fault codes for existing and non-existing…

  • CVE-2007-0539Jan 29, 2007
    risk 0.00cvss epss 0.03

    The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout…

  • CVE-2007-0262Jan 16, 2007
    risk 0.00cvss epss 0.02

    WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL…

  • CVE-2007-0106Jan 9, 2007
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly…

  • CVE-2007-0109Jan 9, 2007
    risk 0.00cvss epss 0.03

    wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks.

  • CVE-2007-0107Jan 9, 2007
    risk 0.00cvss epss 0.07

    WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using…

  • CVE-2006-6808Dec 28, 2006
    risk 0.00cvss epss 0.07

    Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: some sources have reported this as a vulnerability in the get_file_description function in…

  • CVE-2006-5705Nov 4, 2006
    risk 0.00cvss epss 0.03

    Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request.

  • CVE-2006-5194Oct 10, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in index.php in net2ftp 0.93 allows remote attackers to inject arbitrary web script or HTML via the username parameter. NOTE: some of these details are obtained from third party information.

  • CVE-2006-4743Sep 13, 2006
    risk 0.00cvss epss 0.02

    WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensitive information via a direct request for (1) 404.php, (2) akismet.php, (3) archive.php, (4) archives.php, (5) attachment.php, (6) blogger.php, (7) comments.php, (8) comments-popup.php, (9) dotclear.php, (10)…

  • CVE-2006-4028Aug 9, 2006
    risk 0.00cvss epss 0.04

    Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors. NOTE: due to lack of details, it is not clear how these issues are different from CVE-2006-3389 and CVE-2006-3390, although it is likely that 2.0.4 addresses an…

  • CVE-2006-3390Jul 6, 2006
    risk 0.00cvss epss 0.03

    WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables.

  • CVE-2006-3389Jul 6, 2006
    risk 0.00cvss epss 0.03

    index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged parameter, which displays the information in an SQL error message. NOTE: this issue has been disputed by a third party who states that the…

  • CVE-2006-2702May 31, 2006
    risk 0.00cvss epss 0.03

    vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP header, which vars.php uses to redefine $_SERVER['REMOTE_ADDR'].

  • CVE-2006-2667May 30, 2006
    risk 0.00cvss epss 0.15

    Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1)…

  • CVE-2006-1796Apr 17, 2006
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI…

  • CVE-2006-1263Mar 19, 2006
    risk 0.00cvss epss 0.02

    Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.

  • CVE-2006-1012Mar 6, 2006
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment.

  • CVE-2006-0985Mar 3, 2006
    risk 0.00cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters.

  • CVE-2006-0986Mar 3, 2006
    risk 0.00cvss epss 0.03

    WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7)…

  • CVE-2005-4463Dec 21, 2005
    risk 0.00cvss epss 0.03

    WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6)…

  • CVE-2005-2612Aug 17, 2005
    risk 0.00cvss epss 0.39

    Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.

  • CVE-2005-2107Jul 5, 2005
    risk 0.00cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter.

  • CVE-2005-2109Jul 5, 2005
    risk 0.00cvss epss 0.03

    wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use.

  • CVE-2005-2110Jul 5, 2005
    risk 0.00cvss epss 0.03

    WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector…

  • CVE-2005-1810Jun 1, 2005
    risk 0.00cvss epss 0.03

    SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php.

  • CVE-2005-1687May 20, 2005
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter.

  • CVE-2005-1102May 2, 2005
    risk 0.00cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post.

  • CVE-2004-1431Dec 31, 2004
    risk 0.00cvss epss 0.02

    FormMail.php 5.0, and possibly other versions, allows remote attackers to read arbitrary files via a full pathname in the ar_file (auto-reply) parameter.

  • CVE-2003-1528Dec 31, 2003
    risk 0.00cvss epss 0.00

    nsr_shutdown in Fujitsu Siemens NetWorker 6.0 allows local users to overwrite arbitrary files via a symlink attack on the nsrsh[PID] temporary file.

  • CVE-2001-0910Nov 21, 2001
    risk 0.00cvss epss 0.02

    Legato Networker before 6.1 allows remote attackers to bypass access restrictions and gain privileges on the Networker interface by spoofing the admin server name and IP address and connecting to Networker from an IP address whose hostname can not be determined by a DNS reverse…

  • CVE-1999-1139Sep 1, 1997
    risk 0.00cvss epss 0.00

    Character-Terminal User Environment (CUE) in HP-UX 11.0 and earlier allows local users to overwrite arbitrary files and gain root privileges via a symlink attack on the IOERROR.mytty file.

Page 664 of 664