Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Total 621 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-3438 2 Debian, Wordpress 2 Debian Linux, Wordpress 2016-12-05 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.
CVE-2016-4567 2 Mediaelementjs, Wordpress 2 Mediaelement.js, Wordpress 2016-12-02 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
CVE-2016-4566 2 Plupload, Wordpress 2 Plupload, Wordpress 2016-12-02 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.
CVE-2016-5832 1 Wordpress 1 Wordpress 2016-11-29 5.0 MEDIUM 7.5 HIGH
The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.
CVE-2016-5837 1 Wordpress 1 Wordpress 2016-11-29 5.0 MEDIUM 7.5 HIGH
WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.
CVE-2016-5838 1 Wordpress 1 Wordpress 2016-11-29 5.0 MEDIUM 7.5 HIGH
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.
CVE-2016-5834 1 Wordpress 1 Wordpress 2016-11-29 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.
CVE-2016-5833 1 Wordpress 1 Wordpress 2016-11-29 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.
CVE-2016-5835 1 Wordpress 1 Wordpress 2016-11-29 5.0 MEDIUM 7.5 HIGH
WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.
CVE-2016-5839 1 Wordpress 1 Wordpress 2016-11-28 5.0 MEDIUM 7.5 HIGH
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.
CVE-2015-8834 1 Wordpress 1 Wordpress 2016-11-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440.
CVE-2007-1732 1 Wordpress 1 Wordpress 2016-11-21 3.5 LOW N/A
** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: another researcher disputes this issue, stating that this is legitimate functionality for administrators. However, it has been patched by at least one vendor.
CVE-2005-2107 1 Wordpress 1 Wordpress 2016-10-17 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter.
CVE-2005-2109 1 Wordpress 1 Wordpress 2016-10-17 5.0 MEDIUM N/A
wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use.
CVE-2005-2108 1 Wordpress 1 Wordpress 2016-10-17 7.5 HIGH N/A
SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file.
CVE-2005-1810 1 Wordpress 1 Wordpress 2016-10-17 7.5 HIGH N/A
SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php.
CVE-2005-1687 1 Wordpress 1 Wordpress 2016-10-17 7.5 HIGH N/A
SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter.
CVE-2005-1688 1 Wordpress 1 Wordpress 2016-10-17 5.0 MEDIUM N/A
Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message.
CVE-2005-1102 1 Wordpress 1 Wordpress 2016-10-17 6.8 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post.
CVE-2014-9039 3 Debian, Mageia Project, Wordpress 3 Debian Linux, Mageia, Wordpress 2016-06-30 4.3 MEDIUM N/A
wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message.