Total
581 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-5178 | 2 Welcart, Wordpress | 2 Welcart Plugin, Wordpress | 2013-01-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase. | |||||
CVE-2011-5254 | 2 Connections Project, Wordpress | 2 Connections, Wordpress | 2013-01-22 | 10.0 HIGH | N/A |
Unspecified vulnerability in the Connections plugin before 0.7.1.6 for WordPress has unknown impact and attack vectors. | |||||
CVE-2012-6499 | 2 Age Verification Project, Wordpress | 2 Age Verification, Wordpress | 2013-01-13 | 5.8 MEDIUM | N/A |
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter. | |||||
CVE-2012-5868 | 1 Wordpress | 1 Wordpress | 2013-01-07 | 2.6 LOW | N/A |
WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack. | |||||
CVE-2012-6312 | 2 Video-lead-form, Wordpress | 2 Uk-cookie, Wordpress | 2012-12-27 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter in a video-lead-form action to wp-admin/admin.php. | |||||
CVE-2012-5469 | 2 Phpmyadmin, Wordpress | 2 Phpmyadmin, Wordpress | 2012-12-27 | 7.5 HIGH | N/A |
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. | |||||
CVE-2012-5177 | 2 Welcart, Wordpress | 2 Welcart Plugin, Wordpress | 2012-12-19 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2012-6313 | 2 Simple Gmail Login, Wordpress | 3 1.1.2, 1.1.3, Wordpress | 2012-12-11 | 5.0 MEDIUM | N/A |
simple-gmail-login.php in the Simple Gmail Login plugin before 1.1.4 for WordPress allows remote attackers to obtain sensitive information via a request that lacks a timezone, leading to disclosure of the installation path in a stack trace. | |||||
CVE-2012-1786 | 2 Kylegilman, Wordpress | 2 Video Embed \& Thumbnail Generator, Wordpress | 2012-11-05 | 5.0 MEDIUM | N/A |
The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors. | |||||
CVE-2011-5193 | 2 Phpace, Wordpress | 2 Samswhois, Wordpress | 2012-10-14 | 2.6 LOW | N/A |
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194. | |||||
CVE-2011-4342 | 2 Backwpup, Wordpress | 2 Backwpup, Wordpress | 2012-10-08 | 7.5 HIGH | N/A |
PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter. | |||||
CVE-2012-5318 | 2 Kishore Asokan, Wordpress | 2 Kish Guest Posting Plugin, Wordpress | 2012-10-08 | 6.8 MEDIUM | N/A |
Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1125. | |||||
CVE-2011-5208 | 2 Backwpup, Wordpress | 2 Backwpup, Wordpress | 2012-10-08 | 5.0 MEDIUM | N/A |
Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php. | |||||
CVE-2012-4448 | 1 Wordpress | 1 Wordpress | 2012-09-30 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. | |||||
CVE-2011-5191 | 2 Blairwilliams, Wordpress | 2 Pretty Link Lite Plugin, Wordpress | 2012-09-23 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5192. | |||||
CVE-2011-5192 | 2 Blairwilliams, Wordpress | 2 Pretty Link Lite Plugin, Wordpress | 2012-09-23 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5191. | |||||
CVE-2012-3383 | 1 Wordpress | 1 Wordpress | 2012-09-17 | 2.6 LOW | N/A |
The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text. | |||||
CVE-2012-4421 | 1 Wordpress | 1 Wordpress | 2012-09-16 | 4.0 MEDIUM | N/A |
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. | |||||
CVE-2012-4422 | 1 Wordpress | 1 Wordpress | 2012-09-16 | 3.5 LOW | N/A |
wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. | |||||
CVE-2010-5106 | 1 Wordpress | 1 Wordpress | 2012-09-16 | 6.5 MEDIUM | N/A |
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. |