Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Total 621 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2011-3857 2 Antisocialmediallc, Wordpress 2 Antisnews, Wordpress 2012-05-17 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Antisnews theme before 1.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3864 2 Somadesign, Wordpress 2 The Erudite, Wordpress 2012-05-17 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the The Erudite theme before 2.7.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
CVE-2011-3863 2 Post-scriptum, Wordpress 2 Redline, Wordpress 2012-05-17 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the RedLine theme before 1.66 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3861 2 Webminimalist, Wordpress 2 Web Minimalist 200901, Wordpress 2012-05-17 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Web Minimalist 200901 theme before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3859 2 Themehybrid, Wordpress 2 Trending, Wordpress 2012-05-17 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Trending theme before 0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
CVE-2011-3865 2 Ulyssesonline, Wordpress 2 Black-letterhead, Wordpress 2012-05-17 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Black-LetterHead theme before 1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-4803 2 Bravenewcode, Wordpress 2 Wptouch, Wordpress 2012-03-04 7.5 HIGH N/A
SQL injection vulnerability in wptouch/ajax.php in the WPTouch plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2012-1205 2 Alanft, Wordpress 2 Relocate-upload, Wordpress 2012-02-24 7.5 HIGH N/A
PHP remote file inclusion vulnerability in relocate-upload.php in Relocate Upload plugin before 0.20 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.
CVE-2012-0782 1 Wordpress 1 Wordpress 2012-01-31 4.3 MEDIUM N/A
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance.
CVE-2011-4899 1 Wordpress 1 Wordpress 2012-01-31 7.5 HIGH N/A
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments.
CVE-2012-0937 1 Wordpress 1 Wordpress 2012-01-30 5.0 MEDIUM N/A
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time.
CVE-2011-4898 1 Wordpress 1 Wordpress 2012-01-30 5.0 MEDIUM N/A
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective.
CVE-2011-4671 2 Adrotateplugin, Wordpress 2 Adrotate, Wordpress 2011-12-12 7.5 HIGH N/A
SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter (aka redirect URL).
CVE-2011-4646 2 Lesterchan, Wordpress 2 Wp-postratings, Wordpress 2011-11-30 6.0 MEDIUM N/A
SQL injection vulnerability in wp-postratings.php in the WP-PostRatings plugin 1.50, 1.61, and probably other versions before 1.62 for WordPress allows remote authenticated users with the Author role to execute arbitrary SQL commands via the id attribute of the ratings shortcode when creating a post. NOTE: some of these details are obtained from third party information.
CVE-2011-4568 2 Foliovision, Wordpress 2 Fv Wordpress Flowplayer Plugin, Wordpress 2011-11-29 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in view/frontend-head.php in the Flowplayer plugin before 1.2.12 for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI.
CVE-2011-3860 2 Onedesigns, Wordpress 2 Cover Wp, Wordpress 2011-10-29 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Cover WP theme before 1.6.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3862 2 Adazing, Wordpress 2 Morning Coffee, Wordpress 2011-10-21 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Morning Coffee theme before 3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3850 2 Bytesforall, Wordpress 2 Atahualpa, Wordpress 2011-10-20 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Atahualpa theme before 3.6.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2011-3854 2 Quirm, Wordpress 2 Zenlite, Wordpress 2011-10-20 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the ZenLite theme before 4.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
CVE-2010-4839 2 Edgetechweb, Wordpress 2 Event Registration, Wordpress 2011-09-13 7.5 HIGH N/A
SQL injection vulnerability in the Event Registration plugin 5.32 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the event_id parameter in a register action.