U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:wordpress:wordpress:3.3:rc2:*:*:*:*:*:*
  • CPE Name Search: true
There are 271 matching records.
Displaying matches 181 through 200.
Vuln ID Summary CVSS Severity
CVE-2012-2401

Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.

Published: April 21, 2012; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-2400

Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.

Published: April 21, 2012; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2012-2399

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.

Published: April 21, 2012; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2012-1786

The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors.

Published: March 19, 2012; 2:55:03 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-1785

kg_callffmpeg.php in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to execute arbitrary commands via unspecified vectors.

Published: March 19, 2012; 2:55:03 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2011-5082

Cross-site scripting (XSS) vulnerability in the s2Member Pro plugin before 111220 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s2member_pro_authnet_checkout[coupon] parameter (aka Coupon Code field).

Published: March 19, 2012; 2:55:02 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-1205

PHP remote file inclusion vulnerability in relocate-upload.php in Relocate Upload plugin before 0.20 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.

Published: February 24, 2012; 8:55:05 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-1068

Cross-site scripting (XSS) vulnerability in the rc_ajax function in core.php in the WP-RecentComments plugin before 2.0.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter, related to AJAX paging.

Published: February 14, 2012; 12:55:02 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-1067

SQL injection vulnerability in the WP-RecentComments plugin 2.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter in an rc-content action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: February 14, 2012; 12:55:02 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-1011

actions.php in the AllWebMenus plugin 1.1.8 for WordPress allows remote attackers to bypass intended access restrictions to upload and execute arbitrary PHP code by setting the HTTP_REFERER to a certain value, then uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory.

Published: February 07, 2012; 4:55:04 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-1010

Unrestricted file upload vulnerability in actions.php in the AllWebMenus plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory.

Published: February 07, 2012; 4:55:04 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-0937

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time

Published: January 30, 2012; 12:55:01 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-0782

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance

Published: January 30, 2012; 12:55:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2011-4899

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments

Published: January 30, 2012; 12:55:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2011-4898

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective

Published: January 30, 2012; 12:55:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-0934

PHP remote file inclusion vulnerability in ajax/savetag.php in the Theme Tuner plugin for WordPress before 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the tt-abspath parameter.

Published: January 28, 2012; 11:04:44 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-0898

Directory traversal vulnerability in meb_download.php in the myEASYbackup plugin 1.0.8.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dwn_file parameter.

Published: January 20, 2012; 12:55:02 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-0896

Absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter.

Published: January 20, 2012; 12:55:01 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2012-0895

Cross-site scripting (XSS) vulnerability in map/map.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map parameter.

Published: January 20, 2012; 12:55:01 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-0287

Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature.

Published: January 05, 2012; 11:01:26 PM -0500
V3.x:(not available)
V2.0: 2.6 LOW