National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Search Type: Search All
  • Keyword (text search): wordpress
There are 2,936 matching records.
Displaying matches 2761 through 2780.
Vuln ID Summary CVSS Severity
CVE-2008-1061

Multiple cross-site scripting (XSS) vulnerabilities in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to (a) warning.php, (b) notice.php, and (c) inset.php in view/sniplets/, and possibly (d) modules/execute.php; the (2) url parameter to (e) view/admin/submenu.php; and the (3) page parameter to (f) view/admin/pager.php.

Published: February 28, 2008; 02:44:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2008-0939

Multiple SQL injection vulnerabilities in wppa.php in the WP Photo Album (WPPA) before 1.1 plugin for WordPress allow remote attackers to execute arbitrary SQL commands via (1) the photo parameter to index.php, used by the wppa_photo_name function; or (2) the album parameter to index.php, used by the wppa_album_name function. NOTE: some of these details are obtained from third party information.

Published: February 25, 2008; 03:44:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-0837

Cross-site scripting (XSS) vulnerability in the log feature in the John Godley Search Unleashed 0.2.10 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, which is not properly handled when the administrator views the log file.

Published: February 20, 2008; 04:44:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2008-0845

SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter.

Published: February 20, 2008; 04:44:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-0682

SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin before 3.72 for Wordpress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: February 11, 2008; 08:00:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-0683

SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter.

Published: February 11, 2008; 08:00:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-0691

Multiple cross-site scripting (XSS) vulnerabilities in admin_panel.php in the Simon Elvery WP-Footnotes 2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) wp_footnotes_current_settings[priority], (2) wp_footnotes_current_settings[style_rules], (3) wp_footnotes_current_settings[pre_footnotes], and (4) wp_footnotes_current_settings[post_footnotes] parameters.

Published: February 11, 2008; 08:00:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2008-0664

The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.

Published: February 07, 2008; 09:00:00 PM -05:00
    V2: 6.4 MEDIUM
CVE-2008-0615

Directory traversal vulnerability in wp-admin/admin.php in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allows remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) folder and (2) file parameters.

Published: February 06, 2008; 07:00:00 AM -05:00
    V2: 4.0 MEDIUM
CVE-2008-0616

SQL injection vulnerability in the administration panel in the DMSGuestbook 1.7.0 plugin for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. NOTE: it is not clear whether this issue crosses privilege boundaries.

Published: February 06, 2008; 07:00:00 AM -05:00
    V2: 6.5 MEDIUM
CVE-2008-0617

Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) file parameter to wp-admin/admin.php, or the (2) messagefield parameter in the guestbook page, and the (3) title parameter in the messagearea.

Published: February 06, 2008; 07:00:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2008-0618

Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) gbname, (2) gbemail, (3) gburl, and (4) gbmsg parameters to unspecified programs. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: February 06, 2008; 07:00:00 AM -05:00
    V2: 4.3 MEDIUM
CVE-2008-0560

** DISPUTED ** PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the tm parameter. NOTE: CVE disputes this issue for 7.3, since there is no tm parameter, and the code exits with a fatal error due to a call to an undefined function.

Published: February 04, 2008; 06:00:00 PM -05:00
    V2: 6.8 MEDIUM
CVE-2008-0507

SQL injection vulnerability in adclick.php in the AdServe 0.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: January 31, 2008; 03:00:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-0508

Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka dean_pm_config[oldstructure]) configuration setting as administrators via the old_struct parameter in a deans_permalinks_migration.php action to wp-admin/options-general.php, as demonstrated by placing an XSS sequence in this setting.

Published: January 31, 2008; 03:00:00 PM -05:00
    V2: 6.8 MEDIUM
CVE-2008-0520

Multiple SQL injection vulnerabilities in main.php in the WassUp plugin 1.4 through 1.4.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) from_date or (2) to_date parameter to spy.php.

Published: January 31, 2008; 03:00:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-0490

SQL injection vulnerability in functions/editevent.php in the WP-Cal 0.3 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: January 30, 2008; 05:00:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-0491

SQL injection vulnerability in fim_rss.php in the fGallery 2.4.1 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the album parameter.

Published: January 30, 2008; 05:00:00 PM -05:00
    V2: 7.5 HIGH
CVE-2008-0388

SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the user parameter in a showprofile action to the default URI.

Published: January 22, 2008; 09:00:00 PM -05:00
    V2: 6.8 MEDIUM
CVE-2008-0222

Unrestricted file upload vulnerability in ajaxfilemanager.php in the Wp-FileManager 1.2 plugin for WordPress allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors.

Published: January 10, 2008; 06:46:00 PM -05:00
    V2: 7.5 HIGH