National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:wordpress:wordpress:2.1:rc2
There are 288 matching records.
Displaying matches 61 through 80.
Vuln ID Summary CVSS Severity
CVE-2017-5491

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2017-5490

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-5489

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2017-5488

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2017-5487

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

Published: January 14, 2017; 09:59:02 PM -05:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2016-7169

Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.

Published: January 04, 2017; 09:59:03 PM -05:00
V3.0: 6.3 MEDIUM
    V2: 6.5 MEDIUM
CVE-2016-7168

Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.

Published: January 04, 2017; 09:59:03 PM -05:00
V3.0: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2016-6635

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option.

Published: August 07, 2016; 12:59:17 PM -04:00
V3.0: 8.8 HIGH
    V2: 6.8 MEDIUM
CVE-2016-6634

Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: August 07, 2016; 12:59:15 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-4029

WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.

Published: August 07, 2016; 12:59:00 PM -04:00
V3.0: 8.6 HIGH
    V2: 5.0 MEDIUM
CVE-2016-5839

WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.

Published: June 29, 2016; 10:10:10 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2016-5838

WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.

Published: June 29, 2016; 10:10:09 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2016-5837

WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.

Published: June 29, 2016; 10:10:08 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2016-5836

The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.

Published: June 29, 2016; 10:10:07 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2016-5835

WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.

Published: June 29, 2016; 10:10:06 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2016-5834

Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.

Published: June 29, 2016; 10:10:05 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-5833

Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.

Published: June 29, 2016; 10:10:04 AM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-5832

The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.

Published: June 29, 2016; 10:10:03 AM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2016-4567

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."

Published: May 21, 2016; 09:59:31 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-4566

Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.

Published: May 21, 2016; 09:59:30 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM