Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Filter

58 total CVE
CVE Vendors Products Updated CVSS
CVE-2017-5611 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 7.5
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post...
CVE-2018-20148 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 7.5
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the...
CVE-2008-2392 1 Wordpress 1 Wordpress 2018-10-31 9.0
Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.
CVE-2006-2667 1 Wordpress 1 Wordpress 2018-10-18 7.5
Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment...
CVE-2007-2821 1 Wordpress 1 Wordpress 2018-10-16 7.5
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter.
CVE-2007-1277 1 Wordpress 1 Wordpress 2018-10-16 7.5
WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in...
CVE-2007-0539 1 Wordpress 1 Wordpress 2018-10-16 7.8
The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long...
CVE-2007-0262 1 Wordpress 1 Wordpress 2018-10-16 7.8
WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the...
CVE-2008-0845 1 Wordpress 1 Dean Logan Wp-people Plugin 2018-10-15 7.5
SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter.
CVE-2008-0194 1 Wordpress 1 Wordpress 2018-10-15 7.5
Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a...
CVE-2008-2510 1 Wordpress 1 Upload File Plugin 2018-10-11 7.5
SQL injection vulnerability in wp-uploadfile.php in the Upload File plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the f_id parameter.
CVE-2008-1930 1 Wordpress 1 Wordpress 2018-10-11 7.5
The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated...
CVE-2008-1060 1 Wordpress 1 Sniplets Plugin 2018-10-11 7.5
Eval injection vulnerability in modules/execute.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via the text parameter.
CVE-2008-1059 1 Wordpress 1 Sniplets Plugin 2018-10-11 7.5
PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter.
CVE-2017-16510 1 Wordpress 1 Wordpress 2018-02-04 7.5
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different...
CVE-2012-2400 1 Wordpress 1 Wordpress 2017-12-19 10.0
Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.
CVE-2012-2399 1 Wordpress 1 Wordpress 2017-12-19 10.0
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or...
CVE-2009-2762 1 Wordpress 1 Wordpress 2017-11-22 7.5
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that...
CVE-2009-2853 2 Wordpress, A 2 Wordpress, Wordpress 2017-11-16 10.0
Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6)...
CVE-2017-14723 1 Wordpress 1 Wordpress 2017-11-10 7.5
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.