Total
581 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-3440 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2016-12-05 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. | |||||
CVE-2015-3439 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2016-12-05 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as. | |||||
CVE-2015-3438 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2016-12-05 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment. | |||||
CVE-2016-4567 | 2 Mediaelementjs, Wordpress | 2 Mediaelement.js, Wordpress | 2016-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." | |||||
CVE-2016-4566 | 2 Plupload, Wordpress | 2 Plupload, Wordpress | 2016-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. | |||||
CVE-2016-5833 | 1 Wordpress | 1 Wordpress | 2016-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. | |||||
CVE-2016-5834 | 1 Wordpress | 1 Wordpress | 2016-11-29 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. | |||||
CVE-2016-5835 | 1 Wordpress | 1 Wordpress | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. | |||||
CVE-2016-5838 | 1 Wordpress | 1 Wordpress | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. | |||||
CVE-2016-5837 | 1 Wordpress | 1 Wordpress | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. | |||||
CVE-2016-5832 | 1 Wordpress | 1 Wordpress | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. | |||||
CVE-2016-5839 | 1 Wordpress | 1 Wordpress | 2016-11-28 | 5.0 MEDIUM | 7.5 HIGH |
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. | |||||
CVE-2015-8834 | 1 Wordpress | 1 Wordpress | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440. | |||||
CVE-2007-1732 | 1 Wordpress | 1 Wordpress | 2016-11-21 | 3.5 LOW | N/A |
** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: another researcher disputes this issue, stating that this is legitimate functionality for administrators. However, it has been patched by at least one vendor. | |||||
CVE-2005-2107 | 1 Wordpress | 1 Wordpress | 2016-10-17 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter. | |||||
CVE-2005-2109 | 1 Wordpress | 1 Wordpress | 2016-10-17 | 5.0 MEDIUM | N/A |
wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use. | |||||
CVE-2005-2108 | 1 Wordpress | 1 Wordpress | 2016-10-17 | 7.5 HIGH | N/A |
SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file. | |||||
CVE-2005-1810 | 1 Wordpress | 1 Wordpress | 2016-10-17 | 7.5 HIGH | N/A |
SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php. | |||||
CVE-2005-1688 | 1 Wordpress | 1 Wordpress | 2016-10-17 | 5.0 MEDIUM | N/A |
Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message. | |||||
CVE-2005-1687 | 1 Wordpress | 1 Wordpress | 2016-10-17 | 7.5 HIGH | N/A |
SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. |