Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Filtered by product Wordpress
Total 581 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-5730 1 Wordpress 1 Wordpress 2017-09-20 5.0 MEDIUM N/A
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.
CVE-2015-5623 2 Debian, Wordpress 2 Debian Linux, Wordpress 2017-09-20 4.0 MEDIUM N/A
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.
CVE-2009-4748 2 Andrew Charlton, Wordpress 2 My Category Order, Wordpress 2017-09-18 7.5 HIGH N/A
SQL injection vulnerability in mycategoryorder.php in the My Category Order plugin 2.8 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the parentID parameter in an act_OrderCategories action to wp-admin/post-new.php.
CVE-2009-4672 2 Grupenet, Wordpress 2 Wp-lytebox, Wordpress 2017-09-18 7.5 HIGH N/A
Directory traversal vulnerability in main.php in the WP-Lytebox plugin 1.3 for WordPress allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pg parameter.
CVE-2009-2852 2 Ryan.mcgeary, Wordpress 2 Wp-syntax, Wordpress 2017-09-18 6.8 MEDIUM N/A
WP-Syntax plugin 0.9.1 and earlier for Wordpress, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via the test_filter[wp_head] array parameter to test/index.php, which is used in a call to the call_user_func_array function.
CVE-2009-2396 2 Dutchmonkey, Wordpress 2 Dm Album, Wordpress 2017-09-18 9.3 HIGH N/A
PHP remote file inclusion vulnerability in template/album.php in DM Albums 1.9.2, as used standalone or as a WordPress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the SECURITY_FILE parameter.
CVE-2009-2383 2 Blogtrafficexchange, Wordpress 2 Related-sites, Wordpress 2017-09-18 7.5 HIGH N/A
SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter.
CVE-2016-6897 1 Wordpress 1 Wordpress 2017-09-02 4.3 MEDIUM 6.5 MEDIUM
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
CVE-2016-6896 1 Wordpress 1 Wordpress 2017-09-02 5.5 MEDIUM 7.1 HIGH
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.
CVE-2017-5487 1 Wordpress 1 Wordpress 2017-08-31 5.0 MEDIUM 5.3 MEDIUM
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
CVE-2014-2315 2 Shinephp, Wordpress 2 Thank You Counter Button, Wordpress 2017-08-28 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Thank You Counter Button plugin 1.8.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) thanks_caption, (2) thanks_caption_style, or (3) thanks_style parameter to wp-admin/options.php.
CVE-2013-7279 2 Anthony Mills, Wordpress 2 S3 Video, Wordpress 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in views/video-management/preview_video.php in the S3 Video plugin before 0.983 for WordPress allows remote attackers to inject arbitrary web script or HTML via the base parameter.
CVE-2014-1907 2 Videowhisper, Wordpress 2 Live Streaming Integration Plugin, Wordpress 2017-08-28 6.4 MEDIUM N/A
Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_login.php or (2) delete arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_logout.php.
CVE-2013-7276 2 Recommend To A Friend Project, Wordpress 2 Recommend To A Friend, Wordpress 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in inc/raf_form.php in the Recommend to a friend plugin 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the current_url parameter.
CVE-2014-1232 2 Foliovision, Wordpress 2 Foliopress Wysiwyg, Wordpress 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Foliopress WYSIWYG plugin before 2.6.8.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2013-3256 2 Shareaholic, Wordpress 2 Sexybookmarks, Wordpress 2017-08-28 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the Shareaholic SexyBookmarks plugin 6.1.4.0 for WordPress allows remote attackers to hijack the authentication of users for requests that "manipulate plugin settings."
CVE-2013-3529 2 Smartypantsplugins, Wordpress 2 Wp-funeral-press, Wordpress 2017-08-28 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in user/obits.php in the WP FuneralPress plugin before 1.1.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) message, (2) photo-message, or (3) youtube-message parameter.
CVE-2013-4954 2 Genetechsolutions, Wordpress 2 Pie-register, Wordpress 2017-08-28 2.6 LOW N/A
Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Genetech Solutions Pie-Register plugin before 1.31 for WordPress, when "Allow New Registrations to set their own Password" is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) pass1 or (2) pass2 parameter in a register action. NOTE: some of these details are obtained from third party information.
CVE-2013-3491 2 Mdolon, Wordpress 2 Sharebar, Wordpress 2017-08-28 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the Sharebar plugin 1.2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) modify buttons, or (3) insert cross-site scripting (XSS) sequences.
CVE-2013-3526 2 Wordpress, Wptrafficanalyzer 2 Wordpress, Trafficanalyzer 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter.