Total
581 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-5346 | 2 Bencemeszaros, Wordpress | 2 Wp-livephp, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in wp-live.php in the WP Live.php module 1.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. NOTE: some of these details are obtained from third party information.
|
|||||
| CVE-2012-0287 | 2 Microsoft, Wordpress | 2 Internet Explorer, Wordpress | 2025-04-11 | 2.6 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature.
|
|||||
| CVE-2011-3818 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 5.0 MEDIUM | N/A |
|
WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files.
|
|||||
| CVE-2012-0934 | 2 Wordpress, Zingiri | 2 Wordpress, Theme Tuner Plugin | 2025-04-11 | 7.5 HIGH | N/A |
|
PHP remote file inclusion vulnerability in ajax/savetag.php in the Theme Tuner plugin for WordPress before 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the tt-abspath parameter.
|
|||||
| CVE-2011-5106 | 2 Fractalia, Wordpress | 2 Flexible Custom Post Type, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
|
|||||
| CVE-2012-4033 | 2 Wordpress, Zingiri | 2 Wordpress, Zingiri Web Shop | 2025-04-11 | 10.0 HIGH | N/A |
|
Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors.
|
|||||
| CVE-2010-4257 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 6.0 MEDIUM | N/A |
|
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field.
|
|||||
| CVE-2011-0740 | 2 Pleer, Wordpress | 2 Rss Feed Reader, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in RSS Feed Reader 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter.
|
|||||
| CVE-2012-5328 | 2 Cartpauj, Wordpress | 2 Mingle-forum, Wordpress | 2025-04-11 | 6.5 MEDIUM | N/A |
|
Multiple SQL injection vulnerabilities in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33 for WordPress might allow remote authenticated users to execute arbitrary SQL commands via the (1) memberid or (2) groupid parameters in a removemember action or (3) id parameter to fs-admin/fs-admin.php, or (4) edit_forum_id parameter in an edit_save_forum action to fs-admin/wpf-edit-forum-group.php.
|
|||||
| CVE-2013-2200 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 4.0 MEDIUM | N/A |
|
WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors.
|
|||||
| CVE-2009-4748 | 2 Andrew Charlton, Wordpress | 2 My Category Order, Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
SQL injection vulnerability in mycategoryorder.php in the My Category Order plugin 2.8 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the parentID parameter in an act_OrderCategories action to wp-admin/post-new.php.
|
|||||
| CVE-2013-6993 | 2 Ad-minister Project, Wordpress | 2 Ad-minister, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in the Ad-minister plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the key parameter in a delete action to wp-admin/tools.php.
|
|||||
| CVE-2011-5224 | 2 Trioniclabs, Wordpress | 2 Sentinel, Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
SQL injection vulnerability in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
|
|||||
| CVE-2011-5181 | 2 Clickdesk, Wordpress | 2 Clickdesk Live Support-live Chat Plugin, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. NOTE: some of these details are obtained from third party information.
|
|||||
| CVE-2012-3385 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 5.0 MEDIUM | N/A |
|
WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors.
|
|||||
| CVE-2011-3850 | 2 Bytesforall, Wordpress | 2 Atahualpa, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in the Atahualpa theme before 3.6.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.
|
|||||
| CVE-2012-3414 | 3 Swfupload Project, Tinymce, Wordpress | 3 Swfupload, Image Manager, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.
|
|||||
| CVE-2011-4673 | 2 Automattic, Wordpress | 2 Jetpack, Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
SQL injection vulnerability in modules/sharedaddy.php in the Jetpack plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
|
|||||
| CVE-2013-0237 | 3 Fedoraproject, Moxiecode, Wordpress | 3 Fedora, Plupload, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter.
|
|||||
| CVE-2012-6499 | 2 Age Verification Project, Wordpress | 2 Age Verification, Wordpress | 2025-04-11 | 5.8 MEDIUM | N/A |
|
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter.
|
|||||
| CVE-2013-2703 | 2 Crunchify, Wordpress | 2 Facebook Members, Wordpress | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Cross-site request forgery (CSRF) vulnerability in the Facebook Members plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.
|
|||||
| CVE-2013-1464 | 2 Doryphores, Wordpress | 2 Audio Player, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in assets/player.swf in the Audio Player plugin before 2.0.4.6 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the playerID parameter.
|
|||||
| CVE-2013-0236 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post.
|
|||||
| CVE-2013-7279 | 2 Anthony Mills, Wordpress | 2 S3 Video, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in views/video-management/preview_video.php in the S3 Video plugin before 0.983 for WordPress allows remote attackers to inject arbitrary web script or HTML via the base parameter.
|
|||||
| CVE-2012-5177 | 2 Welcart, Wordpress | 2 Welcart Plugin, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2012-5469 | 2 Phpmyadmin, Wordpress | 2 Phpmyadmin, Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod.
|
|||||
| CVE-2013-5673 | 2 Indianic, Wordpress | 2 Testimonial Plugin, Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
SQL injection vulnerability in testimonial.php in the IndiaNIC Testimonial plugin 2.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the custom_query parameter in a testimonial_add action to wp-admin/admin-ajax.php.
|
|||||
| CVE-2011-4957 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.
|
|||||
| CVE-2013-2743 | 2 Ithemes, Wordpress | 2 Backupbuddy, Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress allows remote attackers to bypass authentication via a crafted integer in the step parameter.
|
|||||
| CVE-2012-3384 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 6.8 MEDIUM | N/A |
|
Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
|
|||||
| CVE-2013-2201 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of media files, (2) editing of media files, (3) installation of plugins, (4) updates to plugins, (5) installation of themes, or (6) updates to themes.
|
|||||
| CVE-2012-1011 | 2 Likno, Wordpress | 2 Allwebmenus Plugin, Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
actions.php in the AllWebMenus plugin 1.1.8 for WordPress allows remote attackers to bypass intended access restrictions to upload and execute arbitrary PHP code by setting the HTTP_REFERER to a certain value, then uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory.
|
|||||
| CVE-2011-3130 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection.
|
|||||
| CVE-2011-5216 | 2 Troyef, Wordpress | 2 Scorm Cloud, Wordpress | 2025-04-11 | 7.5 HIGH | N/A |
|
SQL injection vulnerability in ajax.php in SCORM Cloud For WordPress plugin before 1.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the active parameter. NOTE: some of these details are obtained from third party information.
|
|||||
| CVE-2012-6633 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field.
|
|||||
| CVE-2012-4273 | 2 Ppfeufer, Wordpress | 2 2-click-social-media-buttons, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter.
|
|||||
| CVE-2011-0760 | 2 Adminofsystem, Wordpress | 2 Wp Related Posts, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the (1) wp_relatedposts_title, (2) wp_relatedposts_num, or (3) wp_relatedposts_type parameter.
|
|||||
| CVE-2013-2199 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
|
The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235.
|
|||||
| CVE-2013-3254 | 2 Wordpress, Wppa.opajaap | 2 Wordpress, Wp-photo-album-plus | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the commentid parameter in a wppa_manage_comments edit action.
|
|||||
| CVE-2011-5254 | 2 Connections Project, Wordpress | 2 Connections, Wordpress | 2025-04-11 | 10.0 HIGH | N/A |
|
Unspecified vulnerability in the Connections plugin before 0.7.1.6 for WordPress has unknown impact and attack vectors.
|
|||||