Total
581 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2011-5106 | 2 Fractalia, Wordpress | 2 Flexible Custom Post Type, Wordpress | 2018-10-09 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||||
CVE-2011-5265 | 2 Featurific For Wordpress Project, Wordpress | 2 Featurific-for-wordpress, Wordpress | 2018-10-09 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter. NOTE: this has been disputed by a third party. | |||||
CVE-2011-5179 | 2 Skysa, Wordpress | 2 Skysa App Bar Integration Plugin, Wordpress | 2018-10-09 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter. | |||||
CVE-2011-4926 | 2 Bueltge, Wordpress | 2 Adminimize, Wordpress | 2018-10-09 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. | |||||
CVE-2011-5182 | 1 Wordpress | 2 Lanoba Social Plugin, Wordpress | 2018-10-09 | 4.3 MEDIUM | N/A |
** DISPUTED ** Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf." | |||||
CVE-2011-5180 | 2 Wordpress, Zooeffect | 2 Wordpress, Zooeffect | 2018-10-09 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in wp-1pluginjquery.php in the ZooEffect plugin 1.01 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: some of these details are obtained from third party information. NOTE: this has been disputed by a third party. | |||||
CVE-2011-5107 | 1 Wordpress | 2 Alert Before You Post, Wordpress | 2018-10-09 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter. | |||||
CVE-2011-5181 | 2 Clickdesk, Wordpress | 2 Clickdesk Live Support-live Chat Plugin, Wordpress | 2018-10-09 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. NOTE: some of these details are obtained from third party information. | |||||
CVE-2011-1047 | 2 Vasthtml, Wordpress | 2 Forum Server, Wordpress | 2018-10-09 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php. | |||||
CVE-2016-5836 | 1 Wordpress | 1 Wordpress | 2018-07-30 | 5.0 MEDIUM | 7.5 HIGH |
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. | |||||
CVE-2018-10102 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2018-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | |||||
CVE-2018-10100 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2018-05-18 | 5.8 MEDIUM | 6.1 MEDIUM |
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. | |||||
CVE-2014-6412 | 1 Wordpress | 1 Wordpress | 2018-05-17 | 5.0 MEDIUM | 8.1 HIGH |
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | |||||
CVE-2017-16510 | 1 Wordpress | 1 Wordpress | 2018-02-03 | 7.5 HIGH | 9.8 CRITICAL |
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. | |||||
CVE-2018-5776 | 1 Wordpress | 1 Wordpress | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). | |||||
CVE-2012-2404 | 1 Wordpress | 1 Wordpress | 2017-12-18 | 4.3 MEDIUM | N/A |
wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | |||||
CVE-2012-2403 | 1 Wordpress | 1 Wordpress | 2017-12-18 | 4.3 MEDIUM | N/A |
wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. | |||||
CVE-2012-2402 | 1 Wordpress | 1 Wordpress | 2017-12-18 | 5.5 MEDIUM | N/A |
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. | |||||
CVE-2012-2399 | 1 Wordpress | 1 Wordpress | 2017-12-18 | 10.0 HIGH | N/A |
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414. | |||||
CVE-2012-2401 | 2 Moxiecode, Wordpress | 2 Plupload, Wordpress | 2017-12-18 | 5.0 MEDIUM | N/A |
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. |