Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Product filter

Wordpress Subscribe

Filter

298 total CVE
CVE Vendors Products Updated CVSS
CVE-2018-20149 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 3.5
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
CVE-2018-20148 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 7.5
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the...
CVE-2018-6389 1 Wordpress 1 Wordpress 2019-03-01 5.0
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file...
CVE-2018-1000773 1 Wordpress 1 Wordpress 2018-11-14 6.5
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via...
CVE-2009-2336 1 Wordpress 2 Wordpress Mu, Wordpress 2018-11-08 5.0
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor...
CVE-2009-2335 1 Wordpress 2 Wordpress Mu, Wordpress 2018-11-08 5.0
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the...
CVE-2008-2392 1 Wordpress 1 Wordpress 2018-10-31 9.0
Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.
CVE-2017-1000600 1 Wordpress 1 Wordpress 2018-10-26 6.5
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require...
CVE-2006-0733 1 Wordpress 1 Wordpress 2018-10-19 2.6
** DISPUTED ** Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE:...
CVE-2005-4463 1 Wordpress 1 Wordpress 2018-10-19 5.0
WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5)...
CVE-2005-2110 1 Wordpress 1 Wordpress 2018-10-19 5.0
WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path...
CVE-2006-3390 1 Wordpress 1 Wordpress 2018-10-18 5.0
WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables.
CVE-2006-3389 1 Wordpress 1 Wordpress 2018-10-18 5.0
index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged parameter, which displays the information in an SQL error message. NOTE: this issue has been disputed by a...
CVE-2006-2702 1 Wordpress 1 Wordpress 2018-10-18 5.0
vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP header, which vars.php uses to redefine $_SERVER['REMOTE_ADDR'].
CVE-2006-2667 1 Wordpress 1 Wordpress 2018-10-18 7.5
Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment...
CVE-2006-0986 1 Wordpress 1 Wordpress 2018-10-18 5.0
WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the...
CVE-2006-0985 1 Wordpress 1 Wordpress 2018-10-18 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters.
CVE-2006-4743 1 Wordpress 1 Wordpress 2018-10-17 5.0
WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensitive information via a direct request for (1) 404.php, (2) akismet.php, (3) archive.php, (4) archives.php, (5) attachment.php, (6) blogger.php, (7) comments.php, (8)...
CVE-2007-3241 1 Wordpress 1 Wordpress 2018-10-16 4.3
Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI.
CVE-2007-3240 1 Wordpress 1 Wordpress 2018-10-16 4.3
Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP...