Filtered by vendor Wordpress
Subscriptions
Total
5608 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2007-3639 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1) the _wp_http_referer parameter to wp-pass.php, related to the wp_get_referer function in wp-includes/functions.php; and possibly other vectors related to (2) wp-includes/pluggable.php and (3) the wp_nonce_ays function in wp-includes/functions.php. | ||||
| CVE-2007-4139 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. | ||||
| CVE-2009-3890 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename. | ||||
| CVE-2009-2431 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| WordPress 2.7.1 places the username of a post's author in an HTML comment, which allows remote attackers to obtain sensitive information by reading the HTML source. | ||||
| CVE-2009-2396 | 2 Dutchmonkey, Wordpress | 2 Dm Album, Wordpress | 2025-04-09 | N/A |
| PHP remote file inclusion vulnerability in template/album.php in DM Albums 1.9.2, as used standalone or as a WordPress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the SECURITY_FILE parameter. | ||||
| CVE-2007-5105 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter. | ||||
| CVE-2009-2383 | 2 Blogtrafficexchange, Wordpress | 2 Related-sites, Wordpress | 2025-04-09 | N/A |
| SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter. | ||||
| CVE-2007-4153 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2) the opml_url parameter to link-import.php. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. | ||||
| CVE-2008-2146 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. | ||||
| CVE-2007-5710 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter. | ||||
| CVE-2007-6318 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a "\" in a multibyte character. | ||||
| CVE-2008-0191 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive information via an invalid p parameter in an rss2 action to the default URI, which reveals the full path and the SQL database structure. | ||||
| CVE-2008-0664 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors. | ||||
| CVE-2008-1304 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php. | ||||
| CVE-2008-2392 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard. | ||||
| CVE-2008-3362 | 2 Giulio Ganci, Wordpress | 2 Wp Downloads Manager, Wp Downloads Manager | 2025-04-09 | N/A |
| Unrestricted file upload vulnerability in upload.php in the Giulio Ganci Wp Downloads Manager module 0.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension via the upfile parameter, then accessing it via a direct request to the file in wp-content/plugins/downloads-manager/upload/. | ||||
| CVE-2009-2336 | 1 Wordpress | 2 Wordpress, Wordpress Mu | 2025-04-09 | N/A |
| The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." | ||||
| CVE-2008-5278 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable). | ||||
| CVE-2009-2334 | 1 Wordpress | 2 Wordpress, Wordpress Mu | 2025-04-09 | N/A |
| wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service. | ||||
| CVE-2008-5752 | 1 Wordpress | 2 Page Flip Image Gallery Plugin, Wordpress | 2025-04-09 | N/A |
| Directory traversal vulnerability in getConfig.php in the Page Flip Image Gallery plugin 0.2.2 and earlier for WordPress, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the book_id parameter. NOTE: some of these details are obtained from third party information. | ||||