National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:wordpress:wordpress:2.3:beta2
There are 280 matching records.
Displaying matches 161 through 180.
Vuln ID Summary CVSS Severity
CVE-2012-1205

PHP remote file inclusion vulnerability in relocate-upload.php in Relocate Upload plugin before 0.20 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.

Published: February 24, 2012; 08:55:05 AM -05:00
    V2: 7.5 HIGH
CVE-2012-1068

Cross-site scripting (XSS) vulnerability in the rc_ajax function in core.php in the WP-RecentComments plugin before 2.0.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter, related to AJAX paging.

Published: February 14, 2012; 12:55:02 PM -05:00
    V2: 4.3 MEDIUM
CVE-2012-1067

SQL injection vulnerability in the WP-RecentComments plugin 2.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter in an rc-content action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: February 14, 2012; 12:55:02 PM -05:00
    V2: 7.5 HIGH
CVE-2012-1011

actions.php in the AllWebMenus plugin 1.1.8 for WordPress allows remote attackers to bypass intended access restrictions to upload and execute arbitrary PHP code by setting the HTTP_REFERER to a certain value, then uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory.

Published: February 07, 2012; 04:55:04 PM -05:00
    V2: 7.5 HIGH
CVE-2012-1010

Unrestricted file upload vulnerability in actions.php in the AllWebMenus plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory.

Published: February 07, 2012; 04:55:04 PM -05:00
    V2: 7.5 HIGH
CVE-2012-0937

** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time.

Published: January 30, 2012; 12:55:01 PM -05:00
    V2: 5.0 MEDIUM
CVE-2012-0782

** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance.

Published: January 30, 2012; 12:55:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2011-4899

** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments.

Published: January 30, 2012; 12:55:00 PM -05:00
    V2: 7.5 HIGH
CVE-2011-4898

** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective.

Published: January 30, 2012; 12:55:00 PM -05:00
    V2: 5.0 MEDIUM
CVE-2012-0934

PHP remote file inclusion vulnerability in ajax/savetag.php in the Theme Tuner plugin for WordPress before 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the tt-abspath parameter.

Published: January 28, 2012; 11:04:44 PM -05:00
    V2: 7.5 HIGH
CVE-2012-0898

Directory traversal vulnerability in meb_download.php in the myEASYbackup plugin 1.0.8.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dwn_file parameter.

Published: January 20, 2012; 12:55:02 PM -05:00
    V2: 5.0 MEDIUM
CVE-2012-0896

Absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter.

Published: January 20, 2012; 12:55:01 PM -05:00
    V2: 5.0 MEDIUM
CVE-2012-0895

Cross-site scripting (XSS) vulnerability in map/map.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map parameter.

Published: January 20, 2012; 12:55:01 PM -05:00
    V2: 4.3 MEDIUM
CVE-2011-5051

Multiple unrestricted file upload vulnerabilities in the WP Symposium plugin before 11.12.24 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension using (1) uploadify/upload_admin_avatar.php or (2) uploadify/upload_profile_avatar.php, then accessing it via a direct request to the file in an unspecified directory inside the webroot.

Published: January 04, 2012; 02:55:02 PM -05:00
    V2: 7.5 HIGH
CVE-2011-4803

SQL injection vulnerability in wptouch/ajax.php in the WPTouch plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: December 13, 2011; 07:55:04 PM -05:00
    V2: 7.5 HIGH
CVE-2011-4673

SQL injection vulnerability in modules/sharedaddy.php in the Jetpack plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: December 02, 2011; 01:55:02 PM -05:00
    V2: 7.5 HIGH
CVE-2011-4671

SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter (aka redirect URL).

Published: December 02, 2011; 01:55:00 PM -05:00
    V2: 7.5 HIGH
CVE-2011-4669

SQL injection vulnerability in wp-users.php in WordPress Users plugin 1.3 and possibly earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the uid parameter to index.php.

Published: December 02, 2011; 11:55:00 AM -05:00
    V2: 7.5 HIGH
CVE-2011-4646

SQL injection vulnerability in wp-postratings.php in the WP-PostRatings plugin 1.50, 1.61, and probably other versions before 1.62 for WordPress allows remote authenticated users with the Author role to execute arbitrary SQL commands via the id attribute of the ratings shortcode when creating a post. NOTE: some of these details are obtained from third party information.

Published: November 30, 2011; 02:55:00 PM -05:00
    V2: 6.0 MEDIUM
CVE-2011-4568

Cross-site scripting (XSS) vulnerability in view/frontend-head.php in the Flowplayer plugin before 1.2.12 for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI.

Published: November 29, 2011; 06:55:05 AM -05:00
    V2: 4.3 MEDIUM