Total
577 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-2222 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 5.0 MEDIUM | 8.6 HIGH |
The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php. | |||||
CVE-2015-3440 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. | |||||
CVE-2015-3439 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as. | |||||
CVE-2015-2213 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 7.5 HIGH | N/A |
SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash. | |||||
CVE-2016-5838 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. | |||||
CVE-2016-5836 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. | |||||
CVE-2016-5834 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. | |||||
CVE-2015-3429 | 3 Automattic, Debian, Wordpress | 3 Genericons, Debian Linux, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier. | |||||
CVE-2015-5714 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. | |||||
CVE-2016-4566 | 2 Plupload, Wordpress | 2 Plupload, Wordpress | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. | |||||
CVE-2015-5732 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title. | |||||
CVE-2015-5734 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string. | |||||
CVE-2015-5733 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. | |||||
CVE-2014-2265 | 2 Rocklobster, Wordpress | 2 Contact Form 7, Wordpress | 2024-02-28 | 5.0 MEDIUM | N/A |
Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter. | |||||
CVE-2014-9039 | 3 Debian, Mageia Project, Wordpress | 3 Debian Linux, Mageia, Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. | |||||
CVE-2014-3845 | 2 Tinymce, Wordpress | 2 Color Picker, Wordpress | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. NOTE: some of these details are obtained from third party information. | |||||
CVE-2014-9032 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2014-5265 | 3 Debian, Drupal, Wordpress | 3 Debian Linux, Drupal, Wordpress | 2024-02-28 | 5.0 MEDIUM | N/A |
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | |||||
CVE-2014-3844 | 2 Tinymce, Wordpress | 2 Color Picker, Wordpress | 2024-02-28 | 5.0 MEDIUM | N/A |
The TinyMCE Color Picker plugin before 1.2 for WordPress does not properly check permissions, which allows remote attackers to modify plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information. | |||||
CVE-2012-6635 | 1 Wordpress | 1 Wordpress | 2024-02-28 | 4.0 MEDIUM | N/A |
wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft. |