Filtered by vendor Wordpress
Subscribe
Total
621 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2008-4625 | 2 Shiftthis, Wordpress | 2 Shifthis Newsletter, Wordpress | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in stnl_iframe.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter, a different vector than CVE-2008-0683. | |||||
CVE-2008-4616 | 2 The Spanner, Wordpress | 2 Spambam Plugin, Spambam Plugin | 2024-11-21 | 5.0 MEDIUM | N/A |
The SpamBam plugin for WordPress allows remote attackers to bypass restrictions and add blog comments by using server-supplied values to calculate a shared key. | |||||
CVE-2008-4106 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 5.1 MEDIUM | N/A |
WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of the user_login column, and does not properly handle space characters when comparing usernames, which allows remote attackers to change an arbitrary user's password to a random value by registering a similar username and then requesting a password reset, related to a "SQL column truncation vulnerability." NOTE: the attacker can discover the random password by also exploiting CVE-2008-4107. | |||||
CVE-2008-3747 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 7.5 HIGH | N/A |
The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie. | |||||
CVE-2008-3362 | 2 Giulio Ganci, Wordpress | 2 Wp Downloads Manager, Wp Downloads Manager | 2024-11-21 | 10.0 HIGH | N/A |
Unrestricted file upload vulnerability in upload.php in the Giulio Ganci Wp Downloads Manager module 0.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension via the upfile parameter, then accessing it via a direct request to the file in wp-content/plugins/downloads-manager/upload/. | |||||
CVE-2008-3233 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in WordPress before 2.6, SVN development versions only, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2008-2510 | 1 Wordpress | 1 Upload File Plugin | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in wp-uploadfile.php in the Upload File plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the f_id parameter. | |||||
CVE-2008-2392 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 9.0 HIGH | N/A |
Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard. | |||||
CVE-2008-2146 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 7.5 HIGH | N/A |
wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. | |||||
CVE-2008-2068 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2008-2034 | 1 Wordpress | 1 Download Monitor Plugin | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in wp-download_monitor/download.php in the Download Monitor 2.0.6 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
CVE-2008-1982 | 1 Wordpress | 2 Wordpress, Wpss | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter. | |||||
CVE-2008-1930 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 7.5 HIGH | N/A |
The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated string, as demonstrated by registering usernames beginning with "admin" to obtain administrator privileges, aka a "cryptographic splicing" issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-6013. | |||||
CVE-2008-1646 | 2 Arnos Toolbox, Wordpress | 2 Wp-download, Wp Download | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in wp-download.php in the WP-Download 1.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the dl_id parameter. | |||||
CVE-2008-1304 | 1 Wordpress | 1 Wordpress | 2024-11-21 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php. | |||||
CVE-2008-1061 | 1 Wordpress | 1 Sniplets Plugin | 2024-11-21 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to (a) warning.php, (b) notice.php, and (c) inset.php in view/sniplets/, and possibly (d) modules/execute.php; the (2) url parameter to (e) view/admin/submenu.php; and the (3) page parameter to (f) view/admin/pager.php. | |||||
CVE-2008-1060 | 1 Wordpress | 1 Sniplets Plugin | 2024-11-21 | 7.5 HIGH | N/A |
Eval injection vulnerability in modules/execute.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via the text parameter. | |||||
CVE-2008-1059 | 1 Wordpress | 1 Sniplets Plugin | 2024-11-21 | 7.5 HIGH | N/A |
PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter. | |||||
CVE-2008-0939 | 1 Wordpress | 1 Photo Album Plugin | 2024-11-21 | 7.5 HIGH | N/A |
Multiple SQL injection vulnerabilities in wppa.php in the WP Photo Album (WPPA) before 1.1 plugin for WordPress allow remote attackers to execute arbitrary SQL commands via (1) the photo parameter to index.php, used by the wppa_photo_name function; or (2) the album parameter to index.php, used by the wppa_album_name function. NOTE: some of these details are obtained from third party information. | |||||
CVE-2008-0845 | 1 Wordpress | 1 Dean Logan Wp-people Plugin | 2024-11-21 | 7.5 HIGH | N/A |
SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter. |