Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2007-1893 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.9 MEDIUM | N/A |
| xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." | |||||
| CVE-2007-5105 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter. | |||||
| CVE-2007-3140 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897. | |||||
| CVE-2006-6808 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. NOTE: some sources have reported this as a vulnerability in the get_file_description function in wp-admin/admin-functions.php. | |||||
| CVE-2007-1622 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF. | |||||
| CVE-2007-0540 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | N/A |
| WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data. | |||||
| CVE-2007-3238 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.0 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. | |||||
| CVE-2007-0262 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 7.8 HIGH | N/A |
| WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix. | |||||
| CVE-2007-1897 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable. | |||||
| CVE-2007-3544 | 1 Wordpress | 2 Wordpress, Wordpress Mu | 2023-12-10 | 6.5 MEDIUM | N/A |
| Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543. | |||||
| CVE-2008-0664 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.4 MEDIUM | N/A |
| The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors. | |||||
| CVE-2008-0192 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php. | |||||
| CVE-2007-4894 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other unspecified parameters related to "early database escaping" and missing validation of "query string like parameters." | |||||
| CVE-2007-4139 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. | |||||
| CVE-2007-2821 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 7.5 HIGH | N/A |
| SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. | |||||
| CVE-2006-5705 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.0 MEDIUM | N/A |
| Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request. | |||||
| CVE-2007-1244 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter. | |||||
| CVE-2008-0196 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | N/A |
| Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under wp-admin/ or (2) the import parameter to wp-admin/admin.php, as demonstrated by discovering the full path via a request for the \..\..\wp-config pathname; and allow remote attackers to modify arbitrary files via a .. (dot dot) in the file parameter to wp-admin/templates.php. | |||||
| CVE-2007-3639 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.0 MEDIUM | N/A |
| WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1) the _wp_http_referer parameter to wp-pass.php, related to the wp_get_referer function in wp-includes/functions.php; and possibly other vectors related to (2) wp-includes/pluggable.php and (3) the wp_nonce_ays function in wp-includes/functions.php. | |||||
| CVE-2007-5710 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter. | |||||