Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Filtered by product Wordpress
Total 581 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-5489 1 Wordpress 1 Wordpress 2017-11-03 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
CVE-2015-2213 1 Wordpress 1 Wordpress 2017-11-03 7.5 HIGH N/A
SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash.
CVE-2015-5734 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string.
CVE-2015-7989 1 Wordpress 1 Wordpress 2017-11-03 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714.
CVE-2016-2221 1 Wordpress 1 Wordpress 2017-11-03 5.8 MEDIUM 7.4 HIGH
Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL.
CVE-2017-5488 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.
CVE-2016-9263 1 Wordpress 1 Wordpress 2017-10-26 2.6 LOW 4.7 MEDIUM
WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.
CVE-2007-3140 1 Wordpress 1 Wordpress 2017-10-18 6.5 MEDIUM N/A
SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897.
CVE-2007-0233 1 Wordpress 1 Wordpress 2017-10-18 7.5 HIGH N/A
wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress.
CVE-2007-1897 1 Wordpress 1 Wordpress 2017-10-10 6.5 MEDIUM N/A
SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.
CVE-2009-2143 2 Firestats, Wordpress 2 Firestats, Wordpress 2017-09-28 7.5 HIGH N/A
PHP remote file inclusion vulnerability in firestats-wordpress.php in the FireStats plugin before 1.6.2-stable for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the fs_javascript parameter.
CVE-2009-2122 2 Paolo Palmonari, Wordpress 2 Photoracer Plugin For Wordpress, Wordpress 2017-09-28 7.5 HIGH N/A
SQL injection vulnerability in viewimg.php in the Paolo Palmonari Photoracer plugin 1.0 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-0968 2 Fahlstad, Wordpress 2 Fmoblog Plugin, Wordpress 2017-09-28 7.5 HIGH N/A
SQL injection vulnerability in fmoblog.php in the fMoblog plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. NOTE: some of these details are obtained from third party information.
CVE-2008-6811 2 Instinct, Wordpress 2 E-commerce Plugin, Wordpress 2017-09-28 6.8 MEDIUM N/A
Unrestricted file upload vulnerability in image_processing.php in the e-Commerce Plugin 3.4 and earlier for Wordpress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/plugins/wp-shopping-cart/.
CVE-2008-5752 1 Wordpress 2 Page Flip Image Gallery Plugin, Wordpress 2017-09-28 4.3 MEDIUM N/A
Directory traversal vulnerability in getConfig.php in the Page Flip Image Gallery plugin 0.2.2 and earlier for WordPress, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the book_id parameter. NOTE: some of these details are obtained from third party information.
CVE-2008-4625 2 Shiftthis, Wordpress 2 Shifthis Newsletter, Wordpress 2017-09-28 7.5 HIGH N/A
SQL injection vulnerability in stnl_iframe.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter, a different vector than CVE-2008-0683.
CVE-2008-1982 1 Wordpress 2 Wordpress, Wpss 2017-09-28 7.5 HIGH N/A
SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.
CVE-2008-0491 1 Wordpress 2 Fgallery Plugin, Wordpress 2017-09-28 7.5 HIGH N/A
SQL injection vulnerability in fim_rss.php in the fGallery 2.4.1 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the album parameter.
CVE-2007-5800 2 Tom Willmot, Wordpress 2 Backupwordpress Plugin, Wordpress 2017-09-28 6.8 MEDIUM N/A
Multiple PHP remote file inclusion vulnerabilities in the BackUpWordPress 0.4.2b and earlier plugin for WordPress allow remote attackers to execute arbitrary PHP code via a URL in the bkpwp_plugin_path parameter to (1) plugins/BackUp/Archive.php; and (2) Predicate.php, (3) Writer.php, (4) Reader.php, and other unspecified scripts under plugins/BackUp/Archive/.
CVE-2015-5733 1 Wordpress 1 Wordpress 2017-09-20 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title.