U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 4,168 matching records.
Displaying matches 3,981 through 4,000.
Vuln ID Summary CVSS Severity
CVE-2008-2068

Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: May 02, 2008; 7:20:00 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-2034

SQL injection vulnerability in wp-download_monitor/download.php in the Download Monitor 2.0.6 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published: April 30, 2008; 12:17:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-1930

The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated string, as demonstrated by registering usernames beginning with "admin" to obtain administrator privileges, aka a "cryptographic splicing" issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-6013.

Published: April 28, 2008; 4:05:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-1982

SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.

Published: April 27, 2008; 4:05:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-1883

The server in Blackboard Academic Suite 7.x stores MD5 password hashes that are provided directly by clients, which makes it easier for remote attackers to access accounts via a modified client that skips the javascript/md5.js hash calculation, and instead sends an arbitrary MD5 string.

Published: April 18, 2008; 11:05:00 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2008-1795

Multiple cross-site scripting (XSS) vulnerabilities in Blackboard Academic Suite 7.x and earlier, and possibly some 8.0 versions, allow remote attackers to inject arbitrary web script or HTML via (1) the searchText parameter in a Course action to webapps/blackboard/execute/viewCatalog or (2) the data__announcements___pk1_pk2__subject parameter in an ADD action to bin/common/announcement.pl.

Published: April 15, 2008; 1:05:00 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-1646

SQL injection vulnerability in wp-download.php in the WP-Download 1.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the dl_id parameter.

Published: April 02, 2008; 1:44:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-1405

PHP remote file inclusion vulnerability in code/display.php in fuzzylime (cms) 3.01 allows remote attackers to execute arbitrary PHP code via a URL in the admindir parameter.

Published: March 20, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2008-1408

SQL injection vulnerability in includes/functions/banners-external.php in phpBP 2 RC3 (2.204) FIX 4 allows remote attackers to execute arbitrary SQL commands via the id parameter in a banner_out action.

Published: March 20, 2008; 6:44:00 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-1304

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php.

Published: March 12, 2008; 1:44:00 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-1059

PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter.

Published: February 28, 2008; 2:44:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-1060

Eval injection vulnerability in modules/execute.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via the text parameter.

Published: February 28, 2008; 2:44:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-1061

Multiple cross-site scripting (XSS) vulnerabilities in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to (a) warning.php, (b) notice.php, and (c) inset.php in view/sniplets/, and possibly (d) modules/execute.php; the (2) url parameter to (e) view/admin/submenu.php; and the (3) page parameter to (f) view/admin/pager.php.

Published: February 28, 2008; 2:44:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-0939

Multiple SQL injection vulnerabilities in wppa.php in the WP Photo Album (WPPA) before 1.1 plugin for WordPress allow remote attackers to execute arbitrary SQL commands via (1) the photo parameter to index.php, used by the wppa_photo_name function; or (2) the album parameter to index.php, used by the wppa_album_name function. NOTE: some of these details are obtained from third party information.

Published: February 25, 2008; 3:44:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-0837

Cross-site scripting (XSS) vulnerability in the log feature in the John Godley Search Unleashed 0.2.10 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, which is not properly handled when the administrator views the log file.

Published: February 20, 2008; 4:44:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-0845

SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter.

Published: February 20, 2008; 4:44:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-0682

SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin before 3.72 for Wordpress allows remote attackers to execute arbitrary SQL commands via the id parameter.

Published: February 11, 2008; 8:00:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-0683

SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter.

Published: February 11, 2008; 8:00:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2008-0691

Multiple cross-site scripting (XSS) vulnerabilities in admin_panel.php in the Simon Elvery WP-Footnotes 2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) wp_footnotes_current_settings[priority], (2) wp_footnotes_current_settings[style_rules], (3) wp_footnotes_current_settings[pre_footnotes], and (4) wp_footnotes_current_settings[post_footnotes] parameters.

Published: February 11, 2008; 8:00:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2008-0664

The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.

Published: February 07, 2008; 9:00:00 PM -0500
V3.x:(not available)
V2.0: 6.4 MEDIUM