CVE Daily
← All tags

Tag: WordPress

All CVEs associated with "WordPress". Page 151/152 • 18150 CVEs.

Subscribe CVEs: RSS for “WordPress”  ·  RSS (High+Critical only)

About “WordPress”

A curated feed of “WordPress”-related CVEs appears below. We currently track 18150 CVEs for this tag (all time). In the last 365 days, 4094 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).

In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2008-10-24
High

CVE-2008-4734

Cross-site request forgery (CSRF) vulnerability in the wpcr_do_options_page function in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to perform unauthorized actions as a…

CVSS: 7.5 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2008-4733

Cross-site scripting (XSS) vulnerability in wpcommentremix.php in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the (1) replyto…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2008-4732

SQL injection vulnerability in ajax_comments.php in the WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the p parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-10-22
Medium

CVE-2008-4671

Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in Wordpress MU (WPMU) before 2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) s and (2) ip_address par…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2008-10-21
High

CVE-2008-4625

SQL injection vulnerability in stnl_iframe.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter,…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-10-20
Medium

CVE-2008-4616

The SpamBam plugin for WordPress allows remote attackers to bypass restrictions and add blog comments by using server-supplied values to calculate a shared key.

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2008-09-18
Medium

CVE-2008-4125

The search function in phpBB 2.x provides a search_id value that leaks the state of PHP's PRNG, which allows remote attackers to obtain potentially sensitive information, as demonstrated by a cross-a…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2008-4107

The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for s…

CVSS: 5.1 CWE: CWE-189 View on NVD
Medium

CVE-2008-4106

WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of the user_login column, and does not properly handle space ch…

CVSS: 5.1 CWE: CWE-20 - Improper Input Validation View on NVD
2008-08-27
High

CVE-2008-3747

The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might al…

CVSS: 7.5 CWE: CWE-264 View on NVD
2008-07-30
Critical

CVE-2008-3362

Unrestricted file upload vulnerability in upload.php in the Giulio Ganci Wp Downloads Manager module 0.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an ex…

CVSS: 10.0 CWE: CWE-20 - Improper Input Validation View on NVD
2008-07-18
Medium

CVE-2008-3233

Cross-site scripting (XSS) vulnerability in WordPress before 2.6, SVN development versions only, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2008-05-29
High

CVE-2008-2510

SQL injection vulnerability in wp-uploadfile.php in the Upload File plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the f_id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-05-21
Critical

CVE-2008-2392

Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tab…

CVSS: 9.0 CWE: CWE-20 - Improper Input Validation View on NVD
2008-05-12
High

CVE-2008-2146

wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for cert…

CVSS: 7.5 CWE: CWE-264 View on NVD
2008-05-02
Medium

CVE-2008-2068

Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2008-04-30
High

CVE-2008-2034

SQL injection vulnerability in wp-download_monitor/download.php in the Download Monitor 2.0.6 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. NOT…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-04-28
High

CVE-2008-1930

The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a userna…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2008-04-27
High

CVE-2008-1982

SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-04-02
High

CVE-2008-1646

SQL injection vulnerability in wp-download.php in the WP-Download 1.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the dl_id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-03-12
Medium

CVE-2008-1304

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2008-02-28
High

CVE-2008-1059

PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the lib…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2008-1060

Eval injection vulnerability in modules/execute.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via the text parameter.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2008-1061

Multiple cross-site scripting (XSS) vulnerabilities in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to (a…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2008-02-25
High

CVE-2008-0939

Multiple SQL injection vulnerabilities in wppa.php in the WP Photo Album (WPPA) before 1.1 plugin for WordPress allow remote attackers to execute arbitrary SQL commands via (1) the photo parameter to…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-02-20
Medium

CVE-2008-0837

Cross-site scripting (XSS) vulnerability in the log feature in the John Godley Search Unleashed 0.2.10 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the s pa…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2008-0845

SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-02-12
High

CVE-2008-0682

SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin before 3.72 for Wordpress allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-0683

SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter para…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-0691

Multiple cross-site scripting (XSS) vulnerabilities in admin_panel.php in the Simon Elvery WP-Footnotes 2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2008-02-08
Medium

CVE-2008-0664

The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.

CVSS: 6.4 CWE: CWE-264 View on NVD
2008-02-06
Medium

CVE-2008-0615

Directory traversal vulnerability in wp-admin/admin.php in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allows remote authenticated users to read arbitrary files via a .. (dot dot) in the (1…

CVSS: 4.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2008-0616

SQL injection vulnerability in the administration panel in the DMSGuestbook 1.7.0 plugin for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via unspecified vec…

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-0617

Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) file parameter to wp-admin…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-0618

Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) gbname, (2) gbem…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2008-02-04
Medium

CVE-2008-0560

PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the tm paramet…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2008-01-31
High

CVE-2008-0507

SQL injection vulnerability in adclick.php in the AdServe 0.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2008-0508

Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka d…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2008-0520

Multiple SQL injection vulnerabilities in main.php in the WassUp plugin 1.4 through 1.4.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) from_date or (2) to_date p…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-01-30
High

CVE-2008-0490

SQL injection vulnerability in functions/editevent.php in the WP-Cal 0.3 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2008-0491

SQL injection vulnerability in fim_rss.php in the fGallery 2.4.1 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the album parameter.

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-01-23
Medium

CVE-2008-0388

SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the user parameter in a showprofile action to the default URI.

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2008-01-10
High

CVE-2008-0222

Unrestricted file upload vulnerability in ajaxfilemanager.php in the Wp-FileManager 1.2 plugin for WordPress allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2007-6677

Cross-site scripting (XSS) vulnerability in Peter's Random Anti-Spam Image 0.2.4 and earlier plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the comment field…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-0191

WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive information via an invalid p parameter in an rss2 action to the default URI, which reveals the full path and the SQL database str…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2008-0192

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-0193

Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remote attackers to inject arbitrary web script or HTML via the…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2008-0194

Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (d…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2008-0195

WordPress 2.0.11 and earlier allows remote attackers to obtain sensitive information via an empty value of the page parameter to certain PHP scripts under wp-admin/, which reveals the path in various…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2008-0196

Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under w…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2008-0197

Multiple cross-site scripting (XSS) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to inject arbitr…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-0198

Multiple cross-site request forgery (CSRF) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to perfor…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2008-0203

Multiple cross-site scripting (XSS) vulnerabilities in cryptographp/admin.php in the Cryptographp 1.2 and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML vi…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-0204

Multiple cross-site scripting (XSS) vulnerabilities in math-comment-spam-protection.php in the Math Comment Spam Protection 2.1 and earlier plugin for WordPress allow remote attackers to inject arbit…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-0205

Multiple cross-site request forgery (CSRF) vulnerabilities in math-comment-spam-protection.php in the Math Comment Spam Protection 2.1 and earlier plugin for WordPress allow remote attackers to perfo…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2008-0206

Multiple cross-site scripting (XSS) vulnerabilities in captcha\captcha.php in the Captcha! 2.5d and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-12-15
Medium

CVE-2007-6369

Multiple directory traversal vulnerabilities in resize.php in the PictPress 0.91 and earlier plugin for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) size or…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2007-12-12
Medium

CVE-2007-6318

SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5,…

CVSS: 6.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2007-11-19
Critical

CVE-2007-6013

Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then gen…

CVSS: 9.8 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2007-11-03
Medium

CVE-2007-5800

Multiple PHP remote file inclusion vulnerabilities in the BackUpWordPress 0.4.2b and earlier plugin for WordPress allow remote attackers to execute arbitrary PHP code via a URL in the bkpwp_plugin_pa…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2007-10-30
Low

CVE-2007-5710

Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter.

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-10-05
Medium

CVE-2007-5229

Cross-site request forgery (CSRF) vulnerability in the FeedBurner FeedSmith 2.2 plugin for WordPress allows remote attackers to change settings and hijack blog feeds via a request to wp-admin/options…

CVSS: 6.4 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2007-10-01
Medium

CVE-2007-5161

Cross-zone scripting vulnerability in the internal browser in i-Systems Feedreader 3.10 allows remote attackers to inject arbitrary web script or HTML via an item in a feed, as demonstrated by a Word…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-09-26
Medium

CVE-2007-5105

Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2007-5106

Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-09-14
Medium

CVE-2007-4893

wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cro…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
High

CVE-2007-4894

Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to th…

CVSS: 7.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2007-08-27
Medium

CVE-2007-4544

Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Use…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2007-08-22
Medium

CVE-2007-4480

Cross-site scripting (XSS) vulnerability in index.php in the Sirius 1.0 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2007-4481

Cross-site scripting (XSS) vulnerability in index.php in the (1) Blix 0.9.1 and (2) Blix 0.9.1 Rus themes for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INF…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2007-4482

Cross-site scripting (XSS) vulnerability in index.php in the Pool 1.0.7 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2007-4483

Cross-site scripting (XSS) vulnerability in index.php in the WordPress Classic 1.5 theme in WordPress before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PH…

CVSS: 4.3 CWE: N/A View on NVD
2007-08-07
Medium

CVE-2007-4165

Cross-site scripting (XSS) vulnerability in index.php in the Blue Memories theme 1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a relat…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2007-4166

Cross-site scripting (XSS) vulnerability in index.php in the Unnamed theme 1.217, and Special Edition (SE) 1.02, before 20070804 for WordPress allows remote attackers to inject arbitrary web script o…

CVSS: 5.0 CWE: N/A View on NVD
2007-08-03
Low

CVE-2007-4153

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin…

CVSS: 2.1 CWE: N/A View on NVD
Medium

CVE-2007-4154

SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (…

CVSS: 6.5 CWE: N/A View on NVD
Medium

CVE-2007-4139

Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HT…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-07-31
Medium

CVE-2007-4104

Multiple cross-site scripting (XSS) vulnerabilities in the WP-FeedStats before 2.4 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, one of w…

CVSS: 4.3 CWE: N/A View on NVD
2007-07-26
Medium

CVE-2007-4014

Cross-site scripting (XSS) vulnerability in a certain index.php installation script related to the (1) Blix 0.9.1, (2) Blixed 1.0, and (3) BlixKrieg (Blix Krieg) 2.2 themes for WordPress allows remot…

CVSS: 4.3 CWE: N/A View on NVD
2007-07-10
Medium

CVE-2007-3639

WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1) the _wp_http_referer parameter to wp-pass.php, related to th…

CVSS: 4.0 CWE: N/A View on NVD
2007-07-03
Medium

CVE-2007-3543

Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifi…

CVSS: 6.0 CWE: N/A View on NVD
Medium

CVE-2007-3544

Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspe…

CVSS: 6.5 CWE: N/A View on NVD
2007-06-20
Medium

CVE-2007-3288

Cross-site scripting (XSS) vulnerability in the skeltoac stats (Automattic Stats) 1.0 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer field.

CVSS: 4.3 CWE: N/A View on NVD
2007-06-15
Medium

CVE-2007-3238

Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (RE…

CVSS: 6.0 CWE: N/A View on NVD
Medium

CVE-2007-3239

Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2007-3240

Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses i…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2007-3241

Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI.

CVSS: 4.3 CWE: N/A View on NVD
2007-06-08
Medium

CVE-2007-3140

SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a d…

CVSS: 6.5 CWE: N/A View on NVD
2007-05-22
High

CVE-2007-2821

SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2007-2828

Cross-site request forgery (CSRF) vulnerability in adsense-deluxe.php in the AdSense-Deluxe 0.x plugin for WordPress allows remote attackers to perform unspecified actions as arbitrary users via unsp…

CVSS: 6.0 CWE: N/A View on NVD
2007-05-16
Critical

CVE-2007-2714

Unspecified vulnerability in akismet.php in Matt Mullenweg Akismet before 2.0.2, a WordPress plugin, has unknown impact and attack vectors.

CVSS: 10.0 CWE: N/A View on NVD
2007-05-11
Medium

CVE-2007-2627

Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the quer…

CVSS: 6.8 CWE: N/A View on NVD
2007-05-03
Medium

CVE-2007-2481

PHP remote file inclusion vulnerability in wordtube-button.php in the wordTube 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to execute arbitrary PH…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2007-2482

Directory traversal vulnerability in wordtube-button.php in the wordTube 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to include and execute arbitr…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2007-2483

Directory traversal vulnerability in js/wptable-button.php in the wp-Table 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to include and execute arbi…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2007-2484

PHP remote file inclusion vulnerability in js/wptable-button.php in the wp-Table 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to execute arbitrary…

CVSS: 6.8 CWE: N/A View on NVD
High

CVE-2007-2485

PHP remote file inclusion vulnerability in myflash-button.php in the myflash 1.00 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parame…

CVSS: 7.5 CWE: N/A View on NVD
2007-05-02
High

CVE-2007-2426

PHP remote file inclusion vulnerability in myfunctions/mygallerybrowser.php in the myGallery 1.4b4 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in…

CVSS: 7.5 CWE: N/A View on NVD
2007-04-09
Medium

CVE-2007-1893

xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functiona…

CVSS: 4.9 CWE: CWE-264 View on NVD
Medium

CVE-2007-1894

Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2007-1897

SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML…

CVSS: 6.5 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2007-03-28
Low

CVE-2007-1732

Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parame…

CVSS: 3.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2007-03-23
Medium

CVE-2007-1622

Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject…

CVSS: 4.3 CWE: N/A View on NVD
2007-03-22
Medium

CVE-2007-1599

wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter.

CVSS: 6.5 CWE: N/A View on NVD
2007-03-10
Medium

CVE-2007-1409

WordPress allows remote attackers to obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message.

CVSS: 5.0 CWE: N/A View on NVD
2007-03-05
High

CVE-2007-1277

WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary comma…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2007-03-03
Medium

CVE-2007-1244

Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the del…

CVSS: 6.8 CWE: N/A View on NVD
2007-03-02
Medium

CVE-2007-1230

Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP…

CVSS: 5.8 CWE: N/A View on NVD
2007-02-21
Medium

CVE-2007-1049

Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote…

CVSS: 4.3 CWE: N/A View on NVD
2007-01-29
High

CVE-2007-0539

The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that correspon…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2007-0540

WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, wh…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2007-0541

WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local…

CVSS: 5.0 CWE: CWE-264 View on NVD
2007-01-16
High

CVE-2007-0262

WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid…

CVSS: 7.8 CWE: N/A View on NVD
2007-01-13
High

CVE-2007-0233

wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which…

CVSS: 7.5 CWE: N/A View on NVD
2007-01-09
Medium

CVE-2007-0106

Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2007-0107

WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and e…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2007-0109

wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attack…

CVSS: 5.0 CWE: N/A View on NVD
2006-12-31
Critical

CVE-2006-6863

PHP remote file inclusion vulnerability in the Enigma2 plugin (Enigma2.php) in Enigma WordPress Bridge allows remote attackers to execute arbitrary PHP code via a URL in the boarddir parameter. NOTE…

CVSS: 9.8 CWE: N/A View on NVD
2006-12-28
Medium

CVE-2006-6808

Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: some sources have r…

CVSS: 6.8 CWE: N/A View on NVD
2006-11-21
Medium

CVE-2006-6016

wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter.

CVSS: 6.5 CWE: CWE-125 - Out-of-bounds Read View on NVD