Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-3414 | 3 Swfupload Project, Tinymce, Wordpress | 3 Swfupload, Image Manager, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. | |||||
| CVE-2011-5128 | 2 Bueltge, Wordpress | 2 Adminimize, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize plugin before 1.7.22 for WordPress allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, or (3) inc-options/im_export_options.php, or the (4) post or (5) post_ID parameters to adminimize.php, different vectors than CVE-2011-4926. | |||||
| CVE-2013-2704 | 2 Metin Saylan, Wordpress | 2 Dropdown Menu Widget, Wordpress | 2024-02-28 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Dropdown Menu Widget plugin 1.9.1 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences. | |||||
| CVE-2013-2744 | 2 Ithemes, Wordpress | 2 Backupbuddy, Wordpress | 2024-02-28 | 5.0 MEDIUM | N/A |
| importbuddy.php in the BackupBuddy plugin 2.2.25 for WordPress allows remote attackers to obtain configuration information via a step 0 phpinfo action, which calls the phpinfo function. | |||||
| CVE-2012-5318 | 2 Kishore Asokan, Wordpress | 2 Kish Guest Posting Plugin, Wordpress | 2024-02-28 | 6.8 MEDIUM | N/A |
| Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1125. | |||||
| CVE-2012-2371 | 2 Mnt-tech, Wordpress | 2 Wp-facethumb, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter. | |||||
| CVE-2011-5208 | 2 Backwpup, Wordpress | 2 Backwpup, Wordpress | 2024-02-28 | 5.0 MEDIUM | N/A |
| Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php. | |||||
| CVE-2011-5265 | 2 Featurific For Wordpress Project, Wordpress | 2 Featurific-for-wordpress, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter. NOTE: this has been disputed by a third party. | |||||
| CVE-2012-4242 | 2 Mf Gig Calendar Project, Wordpress | 2 Mf Gig Calendar, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. | |||||
| CVE-2012-3576 | 2 Jquindlen, Wordpress | 2 Wpstorecart, Wordpress | 2024-02-28 | 10.0 HIGH | N/A |
| Unrestricted file upload vulnerability in php/upload.php in the wpStoreCart plugin before 2.5.30 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/wpstorecart. | |||||
| CVE-2011-4957 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 5.0 MEDIUM | N/A |
| The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. | |||||
| CVE-2013-5714 | 2 Videowhisper, Wordpress | 2 Live Streaming Integration Plugin, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2012-1125 | 2 Kishore Asokan, Wordpress | 2 Kish Guest Posting Plugin, Wordpress | 2024-02-28 | 6.8 MEDIUM | N/A |
| Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin before 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. | |||||
| CVE-2012-5310 | 2 Getshopped, Wordpress | 2 Wp E-commerce, Wordpress | 2024-02-28 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the WP e-Commerce plugin before 3.8.7.6 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2013-2202 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
| WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2012-3384 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2013-0721 | 2 Wordpress, Wp Php Widget Project | 2 Wordpress, Wp Php Widget | 2024-02-28 | 5.0 MEDIUM | N/A |
| wp-php-widget.php in the WP PHP widget plugin 1.0.2 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. | |||||
| CVE-2013-3491 | 2 Mdolon, Wordpress | 2 Sharebar, Wordpress | 2024-02-28 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Sharebar plugin 1.2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) modify buttons, or (3) insert cross-site scripting (XSS) sequences. | |||||
| CVE-2013-1464 | 2 Doryphores, Wordpress | 2 Audio Player, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in assets/player.swf in the Audio Player plugin before 2.0.4.6 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the playerID parameter. | |||||
| CVE-2012-3383 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 2.6 LOW | N/A |
| The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text. | |||||