Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Filtered by product Wordpress
Total 581 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2006-4028 1 Wordpress 1 Wordpress 2011-08-31 10.0 HIGH N/A
Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors. NOTE: due to lack of details, it is not clear how these issues are different from CVE-2006-3389 and CVE-2006-3390, although it is likely that 2.0.4 addresses an unspecified issue related to "Anyone can register" functionality (user registration for guests).
CVE-2010-4779 2 Bravenewcode, Wordpress 2 Wptouch, Wordpress 2011-05-30 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in lib/includes/auth.inc.php in the WPtouch plugin 1.9.19.4 and 1.9.20 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wptouch_settings parameter to include/adsense-new.php. NOTE: some of these details are obtained from third party information.
CVE-2008-0664 1 Wordpress 1 Wordpress 2011-03-07 6.4 MEDIUM N/A
The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.
CVE-2007-1622 1 Wordpress 1 Wordpress 2011-03-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF.
CVE-2007-1230 1 Wordpress 1 Wordpress 2011-03-07 5.8 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049.
CVE-2007-1049 2 Gentoo, Wordpress 2 Linux, Wordpress 2011-03-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable.
CVE-2006-5705 1 Wordpress 1 Wordpress 2011-03-07 6.0 MEDIUM N/A
Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request.
CVE-2010-0682 1 Wordpress 1 Wordpress 2011-01-18 4.0 MEDIUM N/A
WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter.
CVE-2009-4169 2 Roytanck, Wordpress 2 Wp-cumulus, Wordpress 2011-01-05 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in wp-cumulus.php in the WP-Cumulus Plug-in before 1.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-4518 2 Wobeo, Wordpress 2 Wp-safe-search, Wordpress 2010-12-17 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in wp-safe-search/wp-safe-search-jx.php in the Safe Search plugin 0.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the v1 parameter.
CVE-2010-0673 2 Copperleaf, Wordpress 2 Photolog, Wordpress 2010-02-22 7.5 HIGH N/A
SQL injection vulnerability in cplphoto.php in the Copperleaf Photolog plugin 0.16, and possibly earlier, for WordPress allows remote attackers to execute arbitrary SQL commands via the postid parameter.
CVE-2009-2144 3 Edgewall, Firestats, Wordpress 3 Firestats, Firestats, Wordpress 2009-08-20 7.5 HIGH N/A
SQL injection vulnerability in the FireStats plugin before 1.6.2-stable for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2007-6677 2 Peters Software, Wordpress 2 Random Anti-spam Image, Wordpress 2008-11-14 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in Peter's Random Anti-Spam Image 0.2.4 and earlier plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the comment field in the comment form.
CVE-2007-3543 1 Wordpress 2 Wordpress, Wordpress Mu 2008-11-14 6.0 MEDIUM N/A
Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php.
CVE-2008-3233 1 Wordpress 1 Wordpress 2008-09-05 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in WordPress before 2.6, SVN development versions only, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-0618 2 Daniel M. Schurter, Wordpress 2 Dmsguestbook, Wordpress 2008-09-05 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) gbname, (2) gbemail, (3) gburl, and (4) gbmsg parameters to unspecified programs. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2006-6016 1 Wordpress 1 Wordpress 2008-09-05 4.0 MEDIUM N/A
wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter.
CVE-2006-6017 1 Wordpress 1 Wordpress 2008-09-05 4.0 MEDIUM N/A
WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote authenticated users to cause a denial of service (application crash) via a string that represents a (1) malformed or (2) large serialized object, because the object triggers automatic unserialization for display.
CVE-2006-1796 1 Wordpress 1 Wordpress 2008-09-05 6.8 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI']).
CVE-2006-1263 1 Wordpress 1 Wordpress 2008-09-05 4.3 MEDIUM N/A
Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors.