Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Filtered by product Wordpress
Total 581 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2003-1599 1 Wordpress 1 Wordpress 2017-08-28 7.5 HIGH N/A
PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable.
CVE-2003-1598 1 Wordpress 1 Wordpress 2017-08-28 7.5 HIGH N/A
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.
CVE-2010-4825 2 Pleer, Wordpress 2 Wp-twitter-feed, Wordpress 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in magpie_debug.php in the Twitter Feed plugin (wp-twitter-feed) 0.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVE-2010-4875 2 Wordpress, Xondie 2 Wordpress, Vodpod Video Gallery 2017-08-28 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in vodpod-video-gallery/vodpod_gallery_thumbs.php in the Vodpod Video Gallery Plugin 3.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gid parameter.
CVE-2011-1669 2 Mikoviny, Wordpress 2 Wp Custom Pages, Wordpress 2017-08-16 5.0 MEDIUM N/A
Directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.
CVE-2011-0760 2 Adminofsystem, Wordpress 2 Wp Related Posts, Wordpress 2017-08-16 4.3 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the (1) wp_relatedposts_title, (2) wp_relatedposts_num, or (3) wp_relatedposts_type parameter.
CVE-2010-4630 2 Fubra, Wordpress 2 Wp-survey-and-quiz-tool, Wordpress 2017-08-16 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in pages/admin/surveys/create.php in the WP Survey And Quiz Tool plugin 1.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.
CVE-2010-4637 2 Finalcut, Wordpress 2 Feedlist, Wordpress 2017-08-16 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in feedlist/handler_image.php in the FeedList plugin 2.61.01 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.
CVE-2010-4747 2 Ahmattox, Wordpress 2 Processing Embed Plugin, Wordpress 2017-08-16 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in wordpress-processing-embed/data/popup.php in the Processing Embed plugin 0.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pluginurl parameter.
CVE-2011-0740 2 Pleer, Wordpress 2 Rss Feed Reader, Wordpress 2017-08-16 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in RSS Feed Reader 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter.
CVE-2011-0759 2 Blaenkdenum, Wordpress 2 Wp-recaptcha, Wordpress 2017-08-16 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration page in the Recaptcha (aka WP-reCAPTCHA) plugin 2.9.8.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that disable the CAPTCHA requirement or insert cross-site scripting (XSS) sequences via the (1) recaptcha_opt_pubkey, (2) recaptcha_opt_privkey, (3) re_tabindex, (4) error_blank, (5) error_incorrect, (6) mailhide_pub, (7) mailhide_priv, (8) mh_replace_link, or (9) mh_replace_title parameter.
CVE-2011-0641 2 Heart5, Wordpress 2 Statpresscn, Wordpress 2017-08-16 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2010-2924 2 Silvercover, Wordpress 2 Mylinksdump Plugin, Wordpress 2017-08-16 7.5 HIGH N/A
SQL injection vulnerability in myLDlinker.php in the myLinksDump Plugin 1.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the url parameter. NOTE: some of these details are obtained from third party information.
CVE-2010-1186 2 Alex Rabe, Wordpress 2 Nextgen Gallery, Wordpress 2017-08-16 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the NextGEN Gallery plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the mode parameter.
CVE-2009-4424 2 Imotta, Wordpress 2 Pyrmont Plugin, Wordpress 2017-08-16 7.5 HIGH N/A
SQL injection vulnerability in results.php in the Pyrmont plugin 2 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2008-6767 1 Wordpress 1 Wordpress 2017-08-16 10.0 HIGH N/A
wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request.
CVE-2008-7040 2 Wordpress, Yellowswordfish 2 Wordpress, Simple Forum 2017-08-16 7.5 HIGH N/A
SQL injection vulnerability in ahah/sf-profile.php in the Yellow Swordfish Simple Forum module for Wordpress allows remote attackers to execute arbitrary SQL commands via the u parameter. NOTE: this issue was disclosed by an unreliable researcher, so the details might be incorrect.
CVE-2008-6762 1 Wordpress 1 Wordpress 2017-08-16 4.3 MEDIUM N/A
Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter.
CVE-2008-5278 1 Wordpress 1 Wordpress 2017-08-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable).
CVE-2008-5113 1 Wordpress 1 Wordpress 2017-08-07 4.0 MEDIUM N/A
WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection.