National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:wordpress:wordpress:2.3:beta2
There are 287 matching records.
Displaying matches 261 through 280.
Vuln ID Summary CVSS Severity
CVE-2008-5278

Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable).

Published: November 28, 2008; 02:30:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2008-4769

Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. NOTE: some of these details are obtained from third party information.

Published: October 28, 2008; 06:30:01 AM -04:00
    V2: 9.3 HIGH
CVE-2008-4734

Cross-site request forgery (CSRF) vulnerability in the wpcr_do_options_page function in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to perform unauthorized actions as administrators via a request that sets the wpcr_hidden_form_input parameter.

Published: October 24, 2008; 06:30:00 AM -04:00
    V2: 7.5 HIGH
CVE-2008-4733

Cross-site scripting (XSS) vulnerability in wpcommentremix.php in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the (1) replytotext, (2) quotetext, (3) originallypostedby, (4) sep, (5) maxtags, (6) tagsep, (7) tagheadersep, (8) taglabel, and (9) tagheaderlabel parameters.

Published: October 24, 2008; 06:30:00 AM -04:00
    V2: 4.3 MEDIUM
CVE-2008-4732

SQL injection vulnerability in ajax_comments.php in the WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the p parameter.

Published: October 24, 2008; 06:30:00 AM -04:00
    V2: 7.5 HIGH
CVE-2008-4625

SQL injection vulnerability in stnl_iframe.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter, a different vector than CVE-2008-0683.

Published: October 20, 2008; 09:18:02 PM -04:00
    V2: 7.5 HIGH
CVE-2008-4106

WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of the user_login column, and does not properly handle space characters when comparing usernames, which allows remote attackers to change an arbitrary user's password to a random value by registering a similar username and then requesting a password reset, related to a "SQL column truncation vulnerability." NOTE: the attacker can discover the random password by also exploiting CVE-2008-4107.

Published: September 18, 2008; 01:59:33 PM -04:00
    V2: 5.1 MEDIUM
CVE-2008-3747

The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie.

Published: August 27, 2008; 11:21:00 AM -04:00
    V2: 7.5 HIGH
CVE-2008-3233

Cross-site scripting (XSS) vulnerability in WordPress before 2.6, SVN development versions only, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: July 18, 2008; 12:41:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2008-2392

Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.

Published: May 21, 2008; 09:24:00 AM -04:00
    V2: 9.0 HIGH
CVE-2008-1982

SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.

Published: April 27, 2008; 04:05:00 PM -04:00
    V2: 7.5 HIGH
CVE-2008-0664

The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.

Published: February 07, 2008; 09:00:00 PM -05:00
    V2: 6.4 MEDIUM
CVE-2008-0615

Directory traversal vulnerability in wp-admin/admin.php in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allows remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) folder and (2) file parameters.

Published: February 06, 2008; 07:00:00 AM -05:00
    V2: 4.0 MEDIUM
CVE-2008-0616

SQL injection vulnerability in the administration panel in the DMSGuestbook 1.7.0 plugin for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. NOTE: it is not clear whether this issue crosses privilege boundaries.

Published: February 06, 2008; 07:00:00 AM -05:00
    V2: 6.5 MEDIUM
CVE-2008-0617

Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) file parameter to wp-admin/admin.php, or the (2) messagefield parameter in the guestbook page, and the (3) title parameter in the messagearea.

Published: February 06, 2008; 07:00:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2008-0618

Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) gbname, (2) gbemail, (3) gburl, and (4) gbmsg parameters to unspecified programs. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: February 06, 2008; 07:00:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2008-0491

SQL injection vulnerability in fim_rss.php in the fGallery 2.4.1 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the album parameter.

Published: January 30, 2008; 05:00:00 PM -05:00
    V2: 7.5 HIGH
CVE-2007-6677

Cross-site scripting (XSS) vulnerability in Peter's Random Anti-Spam Image 0.2.4 and earlier plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the comment field in the comment form.

Published: January 09, 2008; 07:46:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2008-0191

WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive information via an invalid p parameter in an rss2 action to the default URI, which reveals the full path and the SQL database structure.

Published: January 09, 2008; 07:46:00 PM -05:00
    V2: 5.0 MEDIUM
CVE-2008-0193

Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php.

Published: January 09, 2008; 07:46:00 PM -05:00
    V2: 4.3 MEDIUM