Filtered by vendor Wordpress
Subscriptions
Total
5054 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2007-4139 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. | ||||
CVE-2008-6767 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request. | ||||
CVE-2007-6369 | 1 Wordpress | 1 Pictpress | 2025-04-09 | N/A |
Multiple directory traversal vulnerabilities in resize.php in the PictPress 0.91 and earlier plugin for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) size or (2) path parameter. | ||||
CVE-2008-0507 | 1 Wordpress | 1 Adserve | 2025-04-09 | N/A |
SQL injection vulnerability in adclick.php in the AdServe 0.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. | ||||
CVE-2007-4153 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2) the opml_url parameter to link-import.php. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. | ||||
CVE-2007-4893 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field. | ||||
CVE-2007-4544 | 1 Wordpress | 1 Wordpress Mu | 2025-04-09 | N/A |
Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Username field). | ||||
CVE-2008-0193 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. | ||||
CVE-2008-0192 | 1 Wordpress | 1 Wordpress | 2025-04-09 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php. | ||||
CVE-2023-22622 | 1 Wordpress | 1 Wordpress | 2025-04-07 | 5.3 Medium |
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits. | ||||
CVE-2006-1012 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment. | ||||
CVE-2006-0733 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE: followup comments to the researcher's web log suggest that this issue is only exploitable by the same user who injects the XSS, so this might not be a vulnerability | ||||
CVE-2006-0985 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters. | ||||
CVE-2005-2612 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie. | ||||
CVE-2006-2667 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument. | ||||
CVE-2004-1584 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the text parameter. | ||||
CVE-2005-2109 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use. | ||||
CVE-2005-2110 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector [1] was later reported to also affect WordPress 2.0.1. | ||||
CVE-2005-2108 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file. | ||||
CVE-2006-3390 | 1 Wordpress | 1 Wordpress | 2025-04-03 | N/A |
WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables. |