Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-0165 | 1 Wordpress | 1 Wordpress | 2017-12-16 | 4.0 MEDIUM | N/A |
| WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. | |||||
| CVE-2009-2851 | 1 Wordpress | 1 Wordpress | 2017-12-07 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL. | |||||
| CVE-2009-2762 | 1 Wordpress | 1 Wordpress | 2017-11-22 | 7.5 HIGH | N/A |
| wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. | |||||
| CVE-2009-2854 | 1 Wordpress | 1 Wordpress | 2017-11-22 | 6.4 MEDIUM | N/A |
| Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/. | |||||
| CVE-2009-3891 | 1 Wordpress | 1 Wordpress | 2017-11-22 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable). | |||||
| CVE-2011-0701 | 1 Wordpress | 1 Wordpress | 2017-11-22 | 4.0 MEDIUM | N/A |
| wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. | |||||
| CVE-2009-3622 | 1 Wordpress | 1 Wordpress | 2017-11-21 | 4.3 MEDIUM | N/A |
| Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8" substrings, related to the mb_convert_encoding function in PHP. | |||||
| CVE-2009-3890 | 1 Wordpress | 1 Wordpress | 2017-11-21 | 6.0 MEDIUM | N/A |
| Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename. | |||||
| CVE-2010-4257 | 1 Wordpress | 1 Wordpress | 2017-11-21 | 6.0 MEDIUM | N/A |
| SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. | |||||
| CVE-2010-4536 | 1 Wordpress | 1 Wordpress | 2017-11-21 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form. | |||||
| CVE-2011-0700 | 1 Wordpress | 1 Wordpress | 2017-11-21 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. | |||||
| CVE-2009-2853 | 1 Wordpress | 1 Wordpress | 2017-11-16 | 10.0 HIGH | N/A |
| Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/. | |||||
| CVE-2012-6707 | 1 Wordpress | 1 Wordpress | 2017-11-13 | 5.0 MEDIUM | 7.5 HIGH |
| WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. | |||||
| CVE-2017-14726 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. | |||||
| CVE-2017-14725 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.9 MEDIUM | 5.4 MEDIUM |
| Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. | |||||
| CVE-2017-14724 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. | |||||
| CVE-2017-14723 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 7.5 HIGH | 9.8 CRITICAL |
| Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. | |||||
| CVE-2017-14722 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 5.0 MEDIUM | 7.5 HIGH |
| Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. | |||||
| CVE-2017-14721 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. | |||||
| CVE-2017-14720 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. | |||||