Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Filtered by product Wordpress
Total 581 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2011-5106 2 Fractalia, Wordpress 2 Flexible Custom Post Type, Wordpress 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2011-5265 2 Featurific For Wordpress Project, Wordpress 2 Featurific-for-wordpress, Wordpress 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter. NOTE: this has been disputed by a third party.
CVE-2011-5179 2 Skysa, Wordpress 2 Skysa App Bar Integration Plugin, Wordpress 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.
CVE-2011-4926 2 Bueltge, Wordpress 2 Adminimize, Wordpress 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVE-2011-5182 1 Wordpress 2 Lanoba Social Plugin, Wordpress 2018-10-09 4.3 MEDIUM N/A
** DISPUTED ** Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf."
CVE-2011-5180 2 Wordpress, Zooeffect 2 Wordpress, Zooeffect 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in wp-1pluginjquery.php in the ZooEffect plugin 1.01 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: some of these details are obtained from third party information. NOTE: this has been disputed by a third party.
CVE-2011-5107 1 Wordpress 2 Alert Before You Post, Wordpress 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2011-5181 2 Clickdesk, Wordpress 2 Clickdesk Live Support-live Chat Plugin, Wordpress 2018-10-09 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. NOTE: some of these details are obtained from third party information.
CVE-2011-1047 2 Vasthtml, Wordpress 2 Forum Server, Wordpress 2018-10-09 7.5 HIGH N/A
Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php.
CVE-2016-5836 1 Wordpress 1 Wordpress 2018-07-30 5.0 MEDIUM 7.5 HIGH
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.
CVE-2018-10102 2 Debian, Wordpress 2 Debian Linux, Wordpress 2018-05-18 4.3 MEDIUM 6.1 MEDIUM
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
CVE-2018-10100 2 Debian, Wordpress 2 Debian Linux, Wordpress 2018-05-18 5.8 MEDIUM 6.1 MEDIUM
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
CVE-2014-6412 1 Wordpress 1 Wordpress 2018-05-17 5.0 MEDIUM 8.1 HIGH
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
CVE-2017-16510 1 Wordpress 1 Wordpress 2018-02-03 7.5 HIGH 9.8 CRITICAL
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
CVE-2018-5776 1 Wordpress 1 Wordpress 2018-02-01 4.3 MEDIUM 6.1 MEDIUM
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
CVE-2012-2404 1 Wordpress 1 Wordpress 2017-12-18 4.3 MEDIUM N/A
wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
CVE-2012-2403 1 Wordpress 1 Wordpress 2017-12-18 4.3 MEDIUM N/A
wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
CVE-2012-2402 1 Wordpress 1 Wordpress 2017-12-18 5.5 MEDIUM N/A
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors.
CVE-2012-2399 1 Wordpress 1 Wordpress 2017-12-18 10.0 HIGH N/A
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.
CVE-2012-2401 2 Moxiecode, Wordpress 2 Plupload, Wordpress 2017-12-18 5.0 MEDIUM N/A
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.