Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Product filter

Wordpress Subscribe

Filter

42 total CVE
CVE Vendors Products Updated CVSS
CVE-2017-5611 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 7.5
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post...
CVE-2018-20148 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 7.5
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the...
CVE-2008-2392 1 Wordpress 1 Wordpress 2018-10-31 9.0
Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.
CVE-2006-2667 1 Wordpress 1 Wordpress 2018-10-18 7.5
Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment...
CVE-2007-2821 1 Wordpress 1 Wordpress 2018-10-16 7.5
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter.
CVE-2007-1277 1 Wordpress 1 Wordpress 2018-10-16 7.5
WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in...
CVE-2007-0539 1 Wordpress 1 Wordpress 2018-10-16 7.8
The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long...
CVE-2007-0262 1 Wordpress 1 Wordpress 2018-10-16 7.8
WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the...
CVE-2008-0194 1 Wordpress 1 Wordpress 2018-10-15 7.5
Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a...
CVE-2008-1930 1 Wordpress 1 Wordpress 2018-10-11 7.5
The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated...
CVE-2017-16510 1 Wordpress 1 Wordpress 2018-02-04 7.5
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different...
CVE-2012-2400 1 Wordpress 1 Wordpress 2017-12-19 10.0
Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.
CVE-2012-2399 1 Wordpress 1 Wordpress 2017-12-19 10.0
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or...
CVE-2009-2762 1 Wordpress 1 Wordpress 2017-11-22 7.5
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that...
CVE-2009-2853 2 Wordpress, A 2 Wordpress, Wordpress 2017-11-16 10.0
Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6)...
CVE-2017-14723 1 Wordpress 1 Wordpress 2017-11-10 7.5
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
CVE-2015-2213 1 Wordpress 1 Wordpress 2017-11-04 7.5
SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash.
CVE-2007-0233 1 Wordpress 1 Wordpress 2017-10-19 7.5
wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary...
CVE-2008-5695 1 Wordpress 2 Wordpress Mu, Wordpress 2017-09-29 8.5
wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute...
CVE-2008-0491 1 Wordpress 2 Fgallery Plugin, Wordpress 2017-09-29 7.5
SQL injection vulnerability in fim_rss.php in the fGallery 2.4.1 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the album parameter.