National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,934 matching records.
Displaying matches 2821 through 2840.
Vuln ID Summary CVSS Severity
CVE-2007-5097

** DISPUTED ** PHP remote file inclusion vulnerability in lib/classes/offl_nflteam.php in Online Fantasy Football League (OFFL) 0.2.6 allows remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter. NOTE: this issue is disputed by CVE because a __FILE__ test protects offl_nflteam.php against direct requests.

Published: September 26, 2007; 06:17:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-5105

Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter.

Published: September 26, 2007; 06:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-5106

Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter.

Published: September 26, 2007; 06:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-5035

** DISPUTED ** PHP remote file inclusion vulnerability in html/modules/extranet_profile/main.php in openEngine 1.9 beta1 allows remote attackers to execute arbitrary PHP code via a URL in the this_module_path parameter. NOTE: this issue is disputed by CVE because PHP encounters a fatal function-call error on a direct request for the file, before reaching the include statement.

Published: September 23, 2007; 08:17:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-5014

Multiple PHP remote file inclusion vulnerabilities in pSlash 0.70 allow remote attackers to execute arbitrary PHP code via a URL in (1) the lvc_admin_dir parameter to modules/visitors2/admin/view-archiver.inc.php or (2) the lvc_include_dir parameter to modules/visitors2/include/menus.inc.php. NOTE: the modules/visitors2/include/config.inc.php vector is already covered by CVE-2006-4373. NOTE: vector 1 is disputed by CVE because PHP encounters a fatal instantiation error on a direct request for the file, before reaching the include statement.

Published: September 20, 2007; 05:17:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-5015

Multiple PHP remote file inclusion vulnerabilities in Streamline PHP Media Server 1.0-beta4 allow remote attackers to execute arbitrary PHP code via a URL in the sl_theme_unix_path parameter to (1) admin_footer.php, (2) info_footer.php, (3) theme_footer.php, (4) browse_footer.php, (5) account_footer.php, or (6) search_footer.php in core/theme/includes/. NOTE: the vulnerability is present only when the administrator does not follow installation instructions about the requirement for .htaccess Limit support.

Published: September 20, 2007; 05:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-4947

Multiple PHP remote file inclusion vulnerabilities in myphpPagetool 0.4.3 allow remote attackers to execute arbitrary PHP code via a URL in the ptinclude parameter to (1) help1.php, (2) help2.php, (3) help3.php, (4) help4.php, (5) help5.php, (6) help6.php, (7) help7.php, (7) help8.php, (8) help9.php, or (10) index.php in doc/admin/.

Published: September 18, 2007; 04:17:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-4948

Multiple PHP remote file inclusion vulnerabilities in Webmedia Explorer (webmex) 3.2.2 allow remote attackers to execute arbitrary PHP code via (1) a URL in the path_include parameter to includes/rss.class.php, (2) a URL in the path_template parameter to (a) templates/main.tpl.php or (b) templates/folder_messages_link_message_name.tpl.php, or (4) a URL in the path_templates parameter to templates/sidebar.tpl.php. NOTE: the vulnerability is present only when the administrator does not follow installation instructions about the requirement for .htaccess support. NOTE: the includes/core.lib.php vector is already covered by CVE-2006-5252.

Published: September 18, 2007; 04:17:00 PM -04:00
    V2: 5.1 MEDIUM
CVE-2007-4949

** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in php(Reactor) 1.2.7pl1 allow remote attackers to execute arbitrary PHP code via a URL in the pathtohomedir parameter to (1) ekilat.com-int.tpl.php, (2) phpreactor.org-top.tpl.php, or (3) ekilat.com-top.tpl.php in examples/. NOTE: this issue has been disputed by CVE, since the vulnerability is present only when the product is incorrectly installed by placing examples/ under the web root.

Published: September 18, 2007; 04:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-4950

** DISPUTED ** PHP remote file inclusion vulnerability in form/db_form/employee.php in PHPortal 0.2.7 allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter. NOTE: this issue is disputed by CVE, since DOCUMENT_ROOT cannot be modified by an attacker.

Published: September 18, 2007; 04:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-4951

** DISPUTED ** PHP remote file inclusion vulnerability in sample.php in YaPiG 0.95b allows remote attackers to execute arbitrary PHP code via a URL in the YAPIG_PATH parameter. NOTE: this issue has been disputed by CVE, since YAPIG_PATH is defined before use.

Published: September 18, 2007; 04:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-4934

Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFL_FILE_ROOT parameter to (1) program_files/livedraft/livedraft.php or (2) program_files/livedraft/admin.php.

Published: September 18, 2007; 02:17:00 PM -04:00
    V2: 4.6 MEDIUM
CVE-2007-4935

Multiple PHP remote file inclusion vulnerabilities in phpFFL 1.24 allow remote attackers to execute arbitrary PHP code via a URL in the PHPFFL_FILE_ROOT parameter to (1) admin.php, (2) custom_pages.php, (3) draft.php, (4) faq.php, (5) leagues.php, (6) livedraft.php, (7) login.php, (8) my_team.php, (9) profile.php, (10) signup.php, (11) statistics.php, (12) transactions.php, (13) program_files/admin/custom_pages.php, or (14) program_files/common.php. NOTE: the program_files/livedraft/admin.php and program_files/livedraft/livedraft.php vectors are covered by CVE-2007-4934.

Published: September 18, 2007; 02:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-4921

PHP remote file inclusion vulnerability in _includes/settings.inc.php in Ajax File Browser 3 Beta allows remote attackers to execute arbitrary PHP code via a URL in the approot parameter.

Published: September 17, 2007; 01:17:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-4893

wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field.

Published: September 14, 2007; 02:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-4894

Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other unspecified parameters related to "early database escaping" and missing validation of "query string like parameters."

Published: September 14, 2007; 02:17:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-4544

Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Username field).

Published: August 27, 2007; 07:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-4480

Cross-site scripting (XSS) vulnerability in index.php in the Sirius 1.0 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

Published: August 22, 2007; 07:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-4481

Cross-site scripting (XSS) vulnerability in index.php in the (1) Blix 0.9.1 and (2) Blix 0.9.1 Rus themes for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

Published: August 22, 2007; 07:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-4482

Cross-site scripting (XSS) vulnerability in index.php in the Pool 1.0.7 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).

Published: August 22, 2007; 07:17:00 PM -04:00
    V2: 4.3 MEDIUM