Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Product filter

Wordpress Subscribe

Filter

298 total CVE
CVE Vendors Products Updated CVSS
CVE-2013-2204 2 Wordpress, Tinymce 2 Media, Wordpress 2013-08-13 4.3
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote...
CVE-2013-2200 1 Wordpress 1 Wordpress 2013-08-13 4.0
WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors.
CVE-2013-2199 1 Wordpress 1 Wordpress 2013-08-13 4.3
The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235.
CVE-2013-0235 1 Wordpress 1 Wordpress 2013-07-08 6.4
The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.
CVE-2013-0237 3 Wordpress, Fedoraproject, Moxiecode 3 Plupload, Fedora, Wordpress 2013-07-08 4.3
Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2013-0236 1 Wordpress 1 Wordpress 2013-07-08 4.3
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post.
CVE-2012-5868 1 Wordpress 1 Wordpress 2013-01-08 2.6
WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.
CVE-2012-0287 1 Wordpress 1 Wordpress 2012-10-12 2.6
Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not...
CVE-2012-4448 1 Wordpress 1 Wordpress 2012-10-01 6.8
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.
CVE-2012-3383 1 Wordpress 1 Wordpress 2012-09-18 2.6
The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended...
CVE-2010-5106 1 Wordpress 1 Wordpress 2012-09-17 6.5
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by...
CVE-2012-4421 1 Wordpress 1 Wordpress 2012-09-17 4.0
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the...
CVE-2012-4422 1 Wordpress 1 Wordpress 2012-09-17 3.5
wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated...
CVE-2012-3384 1 Wordpress 1 Wordpress 2012-08-09 6.8
Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2012-3385 1 Wordpress 1 Wordpress 2012-07-23 5.0
WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors.
CVE-2011-4957 1 Wordpress 1 Wordpress 2012-06-28 5.0
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a...
CVE-2011-4956 1 Wordpress 1 Wordpress 2012-06-28 4.3
Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2011-3818 1 Wordpress 1 Wordpress 2012-05-21 5.0
WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files.
CVE-2012-0782 1 Wordpress 1 Wordpress 2012-01-31 4.3
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2)...
CVE-2011-4899 1 Wordpress 1 Wordpress 2012-01-31 7.5
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via...