Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Total 621 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-2403 1 Wordpress 1 Wordpress 2017-12-18 4.3 MEDIUM N/A
wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
CVE-2012-2399 1 Wordpress 1 Wordpress 2017-12-18 10.0 HIGH N/A
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.
CVE-2012-2401 2 Moxiecode, Wordpress 2 Plupload, Wordpress 2017-12-18 5.0 MEDIUM N/A
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.
CVE-2012-2402 1 Wordpress 1 Wordpress 2017-12-18 5.5 MEDIUM N/A
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors.
CVE-2014-0165 1 Wordpress 1 Wordpress 2017-12-15 4.0 MEDIUM N/A
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php.
CVE-2014-0166 1 Wordpress 1 Wordpress 2017-12-15 6.4 MEDIUM N/A
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.
CVE-2012-1936 1 Wordpress 1 Wordpress 2017-12-13 6.8 MEDIUM N/A
** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations.
CVE-2009-2851 1 Wordpress 1 Wordpress 2017-12-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.
CVE-2009-2854 1 Wordpress 1 Wordpress 2017-11-22 6.4 MEDIUM N/A
Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/.
CVE-2009-2762 1 Wordpress 1 Wordpress 2017-11-22 7.5 HIGH N/A
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
CVE-2009-3891 1 Wordpress 1 Wordpress 2017-11-22 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable).
CVE-2011-0701 1 Wordpress 1 Wordpress 2017-11-22 4.0 MEDIUM N/A
wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter.
CVE-2009-3622 1 Wordpress 1 Wordpress 2017-11-21 4.3 MEDIUM N/A
Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8" substrings, related to the mb_convert_encoding function in PHP.
CVE-2009-3890 1 Wordpress 1 Wordpress 2017-11-21 6.0 MEDIUM N/A
Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename.
CVE-2010-4257 1 Wordpress 1 Wordpress 2017-11-21 6.0 MEDIUM N/A
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field.
CVE-2010-4536 1 Wordpress 1 Wordpress 2017-11-21 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form.
CVE-2011-0700 1 Wordpress 1 Wordpress 2017-11-21 3.5 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box.
CVE-2009-2853 1 Wordpress 1 Wordpress 2017-11-16 10.0 HIGH N/A
Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/.
CVE-2012-6707 1 Wordpress 1 Wordpress 2017-11-13 5.0 MEDIUM 7.5 HIGH
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2017-14724 1 Wordpress 1 Wordpress 2017-11-09 4.3 MEDIUM 6.1 MEDIUM
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.