Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
7838 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2007-3238 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. | ||||
| CVE-2007-3241 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI. | ||||
| CVE-2007-1277 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php. | ||||
| CVE-2009-2431 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| WordPress 2.7.1 places the username of a post's author in an HTML comment, which allows remote attackers to obtain sensitive information by reading the HTML source. | ||||
| CVE-2007-3239 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. | ||||
| CVE-2007-0106 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. | ||||
| CVE-2009-2854 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/. | ||||
| CVE-2008-0192 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php. | ||||
| CVE-2007-3140 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897. | ||||
| CVE-2008-6767 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request. | ||||
| CVE-2009-3622 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8" substrings, related to the mb_convert_encoding function in PHP. | ||||
| CVE-2007-3240 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. | ||||
| CVE-2009-2143 | 2 Firestats, Wordpress | 2 Firestats, Wordpress | 2025-04-09 | N/A |
| PHP remote file inclusion vulnerability in firestats-wordpress.php in the FireStats plugin before 1.6.2-stable for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the fs_javascript parameter. | ||||
| CVE-2007-1622 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF. | ||||
| CVE-2009-2383 | 2 Blogtrafficexchange, Wordpress | 2 Related-sites, Wordpress | 2025-04-09 | N/A |
| SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter. | ||||
| CVE-2007-3544 | 1 Wordpress | 2 Wordpress, Wordpress Mu | 2025-04-09 | N/A |
| Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543. | ||||
| CVE-2009-2432 | 1 Wordpress | 2 Wordpress, Wordpress Mu | 2025-04-09 | N/A |
| WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. | ||||
| CVE-2008-3747 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie. | ||||
| CVE-2009-2122 | 2 Paolo Palmonari, Wordpress | 2 Photoracer Plugin For Wordpress, Wordpress | 2025-04-09 | N/A |
| SQL injection vulnerability in viewimg.php in the Paolo Palmonari Photoracer plugin 1.0 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||||
| CVE-2009-2762 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. | ||||