National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,802 matching records.
Displaying matches 2721 through 2740.
Vuln ID Summary CVSS Severity
CVE-2007-3544

Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543.

Published: July 03, 2007; 04:30:00 PM -04:00
    V2: 6.5 MEDIUM
CVE-2007-3288

Cross-site scripting (XSS) vulnerability in the skeltoac stats (Automattic Stats) 1.0 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer field.

Published: June 20, 2007; 05:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3238

Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability.

Published: June 14, 2007; 09:30:00 PM -04:00
    V2: 6.0 MEDIUM
CVE-2007-3239

Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. NOTE: this can be leveraged for PHP code execution in an administrative session.

Published: June 14, 2007; 09:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3240

Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an administrative session.

Published: June 14, 2007; 09:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3241

Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI.

Published: June 14, 2007; 09:30:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3140

SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897.

Published: June 08, 2007; 12:30:00 PM -04:00
    V2: 6.5 MEDIUM
CVE-2007-2821

SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter.

Published: May 22, 2007; 05:30:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-2828

Cross-site request forgery (CSRF) vulnerability in adsense-deluxe.php in the AdSense-Deluxe 0.x plugin for WordPress allows remote attackers to perform unspecified actions as arbitrary users via unspecified vectors.

Published: May 22, 2007; 05:30:00 PM -04:00
    V2: 6.0 MEDIUM
CVE-2007-2714

Unspecified vulnerability in akismet.php in Matt Mullenweg Akismet before 2.0.2, a WordPress plugin, has unknown impact and attack vectors.

Published: May 16, 2007; 06:19:00 AM -04:00
    V2: 10.0 HIGH
CVE-2007-2627

Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF), a different vulnerability than CVE-2007-1622.

Published: May 11, 2007; 01:19:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-2481

PHP remote file inclusion vulnerability in wordtube-button.php in the wordTube 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter.

Published: May 03, 2007; 01:19:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-2482

Directory traversal vulnerability in wordtube-button.php in the wordTube 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the wpPATH parameter.

Published: May 03, 2007; 01:19:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-2483

Directory traversal vulnerability in js/wptable-button.php in the wp-Table 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via the wpPATH parameter.

Published: May 03, 2007; 01:19:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-2484

PHP remote file inclusion vulnerability in js/wptable-button.php in the wp-Table 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter.

Published: May 03, 2007; 01:19:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-2485

PHP remote file inclusion vulnerability in myflash-button.php in the myflash 1.00 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter.

Published: May 03, 2007; 01:19:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-2426

PHP remote file inclusion vulnerability in myfunctions/mygallerybrowser.php in the myGallery 1.4b4 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the myPath parameter.

Published: May 01, 2007; 08:19:00 PM -04:00
    V2: 7.5 HIGH
CVE-2007-1893

xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post."

Published: April 09, 2007; 04:19:00 PM -04:00
    V2: 4.9 MEDIUM
CVE-2007-1894

Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function.

Published: April 09, 2007; 04:19:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-1897

SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.

Published: April 09, 2007; 04:19:00 PM -04:00
    V2: 6.5 MEDIUM