Total
581 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2008-4769 | 1 Wordpress | 1 Wordpress | 2017-08-07 | 9.3 HIGH | N/A |
Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details are obtained from third party information. | |||||
CVE-2008-3747 | 1 Wordpress | 1 Wordpress | 2017-08-07 | 7.5 HIGH | N/A |
The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie. | |||||
CVE-2008-2146 | 1 Wordpress | 1 Wordpress | 2017-08-07 | 7.5 HIGH | N/A |
wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. | |||||
CVE-2008-2068 | 1 Wordpress | 1 Wordpress | 2017-08-07 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2007-4893 | 1 Wordpress | 1 Wordpress | 2017-07-28 | 4.3 MEDIUM | N/A |
wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field. | |||||
CVE-2007-4894 | 1 Wordpress | 1 Wordpress | 2017-07-28 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other unspecified parameters related to "early database escaping" and missing validation of "query string like parameters." | |||||
CVE-2007-4139 | 1 Wordpress | 1 Wordpress | 2017-07-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. | |||||
CVE-2007-4165 | 2 Wordpress, Xu Yiyang | 2 Wordpress, Blue Memories Theme | 2017-07-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in index.php in the Blue Memories theme 1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757 and CVE-2007-4014. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
CVE-2007-4154 | 1 Wordpress | 1 Wordpress | 2017-07-28 | 6.5 MEDIUM | N/A |
SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5) options-privacy.php, (6) options-permalink.php, (7) options-misc.php, and possibly other unspecified components. | |||||
CVE-2007-4153 | 1 Wordpress | 1 Wordpress | 2017-07-28 | 2.1 LOW | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2) the opml_url parameter to link-import.php. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. | |||||
CVE-2007-1893 | 1 Wordpress | 1 Wordpress | 2017-07-28 | 4.9 MEDIUM | N/A |
xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." | |||||
CVE-2006-6808 | 1 Wordpress | 1 Wordpress | 2017-07-28 | 6.8 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: some sources have reported this as a vulnerability in the get_file_description function in wp-admin/admin-functions.php. | |||||
CVE-2006-1012 | 1 Wordpress | 1 Wordpress | 2017-07-19 | 7.5 HIGH | N/A |
SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment. | |||||
CVE-2004-1584 | 1 Wordpress | 1 Wordpress | 2017-07-10 | 5.0 MEDIUM | N/A |
CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the text parameter. | |||||
CVE-2004-1559 | 1 Wordpress | 1 Wordpress | 2017-07-10 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) redirect_to, text, popupurl, or popuptitle parameters to wp-login.php, (2) redirect_url parameter to admin-header.php, (3) popuptitle, popupurl, content, or post_title parameters to bookmarklet.php, (4) cat_ID parameter to categories.php, (5) s parameter to edit.php, or (6) s or mode parameter to edit-comments.php. | |||||
CVE-2016-10148 | 1 Wordpress | 1 Wordpress | 2017-03-15 | 4.0 MEDIUM | 4.3 MEDIUM |
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. | |||||
CVE-2013-2205 | 1 Wordpress | 1 Wordpress | 2016-12-30 | 4.3 MEDIUM | N/A |
The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. | |||||
CVE-2013-1464 | 2 Doryphores, Wordpress | 2 Audio Player, Wordpress | 2016-12-07 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in assets/player.swf in the Audio Player plugin before 2.0.4.6 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the playerID parameter. | |||||
CVE-2012-3414 | 3 Swfupload Project, Tinymce, Wordpress | 3 Swfupload, Image Manager, Wordpress | 2016-12-07 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. | |||||
CVE-2012-4242 | 2 Matthew Fries, Wordpress | 2 Mf Gig Calendar, Wordpress | 2016-12-07 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. |