Filtered by vendor Wordpress
Subscriptions
Total
9758 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2007-3140 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897. | ||||
| CVE-2007-1277 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php. | ||||
| CVE-2008-1304 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php. | ||||
| CVE-2008-7216 | 1 Wordpress | 1 Peter\'s Math Anti-spam For Wordpress | 2025-04-09 | N/A |
| Peter's Math Anti-Spam Spinoff plugin for WordPress generates audio CAPTCHA clips by concatenating static audio files without any additional distortion, which allows remote attackers to bypass CAPTCHA protection by reading certain bytes from the generated clip. | ||||
| CVE-2009-4169 | 2 Roytanck, Wordpress | 2 Wp-cumulus, Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in wp-cumulus.php in the WP-Cumulus Plug-in before 1.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2008-0845 | 1 Wordpress | 1 Dean Logan Wp-people Plugin | 2025-04-09 | N/A |
| SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter. | ||||
| CVE-2008-4769 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2008-4734 | 2 Pressography, Wordpress | 2 Wp Comment Remix Plugin, Wordpress | 2025-04-09 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the wpcr_do_options_page function in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to perform unauthorized actions as administrators via a request that sets the wpcr_hidden_form_input parameter. | ||||
| CVE-2008-4732 | 2 Pressography, Wordpress | 2 Wp Comment Remix Plugin, Wordpress | 2025-04-09 | N/A |
| SQL injection vulnerability in ajax_comments.php in the WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the p parameter. | ||||
| CVE-2007-4166 | 1 Wordpress | 2 Unamed Theme, Unamed Theme Se | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in the Unnamed theme 1.217, and Special Edition (SE) 1.02, before 20070804 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757, CVE-2007-4014, and CVE-2007-4165. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2008-0683 | 1 Wordpress | 1 St Newsletter Plugin | 2025-04-09 | N/A |
| SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter. | ||||
| CVE-2023-22622 | 1 Wordpress | 1 Wordpress | 2025-04-07 | 5.3 Medium |
| WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits. | ||||
| CVE-2006-4743 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
| WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensitive information via a direct request for (1) 404.php, (2) akismet.php, (3) archive.php, (4) archives.php, (5) attachment.php, (6) blogger.php, (7) comments.php, (8) comments-popup.php, (9) dotclear.php, (10) footer.php, (11) functions.php, (12) header.php, (13) hello.php, (14) wp-content/themes/default/index.php, (15) links.php, (16) livejournal.php, (17) mt.php, (18) page.php, (19) rss.php, (20) searchform.php, (21) search.php, (22) sidebar.php, (23) single.php, (24) textpattern.php, (25) upgrade-functions.php, (26) upgrade-schema.php, or (27) wp-db-backup.php, which reveal the path in various error messages. NOTE: another researcher has disputed the details of this report, stating that version 2.0.5 does not exist. NOTE: the admin-footer.php, admin-functions.php, default-filters.php, edit-form-advanced.php, edit-link-form.php, edit-page-form.php, kses.php, locale.php, rss-functions.php, template-loader.php, and wp-db.php vectors are already covered by CVE-2006-0986. The edit-form-comment.php, vars.php, and wp-settings.php vectors are already covered by CVE-2005-4463. The menu-header.php vector is already covered by CVE-2005-2110. | ||||
| CVE-2005-1810 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
| SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php. | ||||
| CVE-2005-2109 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
| wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use. | ||||
| CVE-2005-2107 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter. | ||||
| CVE-2005-2108 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
| SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file. | ||||
| CVE-2004-1559 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) redirect_to, text, popupurl, or popuptitle parameters to wp-login.php, (2) redirect_url parameter to admin-header.php, (3) popuptitle, popupurl, content, or post_title parameters to bookmarklet.php, (4) cat_ID parameter to categories.php, (5) s parameter to edit.php, or (6) s or mode parameter to edit-comments.php. | ||||
| CVE-2006-3390 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
| WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables. | ||||
| CVE-2006-2667 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
| Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument. | ||||