pkg:Debian/wordpress
421 total CVEsCRITICAL24HIGH50MEDIUM133LOW3
✅ Check your installed version
All known vulnerabilities
- from 0, < 6.4.2+dfsg1-1
- from 0
- from 0, < 5.5.3+dfsg1-1
- CRITICAL9.8CVE-2020-28037is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, whic…from 0, < 5.5.3+dfsg1-1
- CRITICAL9.8CVE-2020-28036wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.from 0, < 5.5.3+dfsg1-1
- from 0, < 5.5.3+dfsg1-1
- from 0, < 4.7.19+dfsg-1+deb9u1
- from 0, < 5.0.11+dfsg1-0+deb10u1
- from 0, < 5.5.3+dfsg1-1
- from 0, < 4.1.29+dfsg-0+deb8u1
- from 0, < 5.3.2+dfsg1-1
- from 0, < 5.2.4+dfsg1-1
- from 0, < 5.0.17+dfsg1-0+deb10u1
- from 0, < 4.7.18+dfsg-1+deb9u1
- from 0, < 5.2.4+dfsg1-1
- from 0, < 4.1.28+dfsg-0+deb8u1
- CRITICAL9.8CVE-2018-20148In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMed…from 0, < 5.0.1+dfsg1-1
- from 0, < 4.8.3+dfsg-1
- from 0, < 4.1+dfsg-1+deb8u16
- from 0, < 3.6.1+dfsg-1~deb7u18
- CRITICAL9.8CVE-2017-14723Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly addr…from 0, < 4.8.2+dfsg-1
- CRITICAL9.8CVE-2017-5611SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbi…from 0, < 4.7.2+dfsg-1
- CRITICAL9.8CVE-2007-6013Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authenticatio…from 0, < 2.5.0-1
- CRITICAL9.1CVE-2020-28039is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine w…from 0, < 5.5.3+dfsg1-1
- from 0, < 5.7.11+dfsg1-0+deb11u1
- from 0, < 5.7.5+dfsg1-0+deb11u1
- HIGH8.8CVE-2019-17675WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to C…from 0, < 5.2.4+dfsg1-1
- HIGH8.8CVE-2019-9787WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default con…from 0, < 5.1.1+dfsg1-1
- from 0, < 5.0.1+dfsg1-1
- from 0, < 4.1.26+dfsg-1+deb8u1
- HIGH8.8CVE-2017-1000600WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution.from 0, < 4.9.1+dfsg-1
- from 0, < 4.9.7+dfsg1-1
- from 0, < 4.7.5+dfsg-2+deb9u4
- from 0, < 4.9.1+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb7u20
- HIGH8.8CVE-2017-9064In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is…from 0, < 4.7.5+dfsg-1
- HIGH8.8CVE-2017-5492Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote at…from 0, < 4.7.1+dfsg-1
- HIGH8.8CVE-2017-5489Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecifi…from 0, < 4.7.1+dfsg-1
- HIGH8.8CVE-2016-6635Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPr…from 0, < 4.5+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb7u16
- from 0, < 4.7.5+dfsg-1
- HIGH8.6CVE-2017-9062In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.from 0, < 4.7.5+dfsg-1
- from 0, < 4.5+dfsg-1
- from 0, < 4.1+dfsg-1+deb8u10
- HIGH8.6CVE-2016-2222The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request…from 0, < 4.4.2+dfsg-1
- from 0, < 5.4.1+dfsg1-1
- from 0, < 5.7.5+dfsg1-0+deb11u1
- from 0, < 4.7.22+dfsg-0+deb9u1
- from 0, < 5.0.15+dfsg1-0+deb10u1
- HIGH7.5CVE-2020-28033WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.from 0, < 5.5.3+dfsg1-1
- from 0, < 5.4.1+dfsg1-1
- HIGH7.5CVE-2019-17673WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.from 0, < 5.2.4+dfsg1-1
- HIGH7.5CVE-2018-20151In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual confi…from 0, < 5.0.1+dfsg1-1
- HIGH7.5CVE-2018-6389In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of regis…from 0
- HIGH7.5CVE-2012-6707WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values…from 0
- HIGH7.5CVE-2017-14722Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.from 0, < 4.8.2+dfsg-1
- HIGH7.5CVE-2017-14719Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip compone…from 0, < 4.8.2+dfsg-1
- HIGH7.5CVE-2017-9065In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.from 0, < 4.7.5+dfsg-1
- HIGH7.5CVE-2017-1001000The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before…from 0, < 4.7.2+dfsg-1
- HIGH7.5CVE-2017-5493wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, whi…from 0, < 4.7.1+dfsg-1
- HIGH7.5CVE-2016-5839WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.from 0, < 4.5.3+dfsg-1
- HIGH7.5CVE-2016-5838WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.from 0, < 4.5.3+dfsg-1
- HIGH7.5CVE-2016-5837WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspe…from 0, < 4.5.3+dfsg-1
- from 0, < 4.5.3+dfsg-1
- from 0, < 4.1+dfsg-1+deb8u18
- HIGH7.5CVE-2016-5835WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, r…from 0, < 4.5.3+dfsg-1
- from 0, < 4.5.3+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb7u11
- from 0, < 3.6.1+dfsg-1~deb7u10
- from 0, < 3.6.1+dfsg-1~deb6u9
- from 0, < 4.4.2+dfsg-1
- from 0, < 5.7.5+dfsg1-0+deb11u1
- HIGH7.2CVE-2018-14028In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files.from 0
- HIGH7.1CVE-2016-6896Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows rem…from 0, < 4.6.1+dfsg-1
- from 0, < 4.1.31+dfsg-0+deb8u1
- from 0, < 5.4.2+dfsg1-1
- from 0, < 5.7.14+dfsg1-0+deb11u1
- from 0, < 6.1.9+dfsg1-0+deb12u1
- from 0, < 5.7.14+dfsg1-0+deb11u1
- MEDIUM6.5CVE-2011-1762A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts.from 0, < 3.2.1+dfsg-1
- from 0, < 5.0.12+dfsg1-0+deb10u1
- from 0, < 4.7.20+dfsg-1+deb9u1
- from 0, < 5.7.1+dfsg1-1
- from 0
- MEDIUM6.5CVE-2018-20152In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.from 0, < 5.0.1+dfsg1-1
- from 0, < 4.1.25+dfsg-1+deb8u1
- from 0, < 5.0.1+dfsg1-1
- from 0, < 4.7.5+dfsg-2+deb9u5
- MEDIUM6.5CVE-2017-14990WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes),…from 0, < 4.8.2+dfsg-2
- MEDIUM6.5CVE-2017-6819In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to…from 0, < 4.7.3+dfsg-1
- MEDIUM6.5CVE-2016-6897Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress be…from 0, < 4.6.1+dfsg-1
- MEDIUM6.5CVE-2006-6017WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote aut…from 0, < 2.0.5-0.1
- MEDIUM6.5CVE-2006-6016wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified…from 0, < 2.0.5-0.1
- MEDIUM6.4CVE-2024-6307WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML APIfrom 0, < 5.7.14+dfsg1-0+deb11u1
- MEDIUM6.3CVE-2016-7169Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade pack…from 0, < 4.6.1+dfsg-1
- MEDIUM6.1CVE-2024-4439WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due…from 0, < 6.1.9+dfsg1-0+deb12u1
- MEDIUM6.1CVE-2022-43500Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary scr…from 0, < 5.7.8+dfsg1-0+deb11u1
- from 0, < 5.7.8+dfsg1-0+deb11u1
- from 0, < 5.7.8+dfsg1-0+deb11u1
- from 0, < 5.5.3+dfsg1-1
- from 0, < 5.5.3+dfsg1-1
- from 0, < 5.4.1+dfsg1-1
- MEDIUM6.1CVE-2019-20042In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a…from 0, < 5.3.2+dfsg1-1
- MEDIUM6.1CVE-2019-17672WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.from 0, < 5.2.4+dfsg1-1
- MEDIUM6.1CVE-2019-16222WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site…from 0, < 5.2.3+dfsg1-1
- from 0, < 5.2.3+dfsg1-1
- MEDIUM6.1CVE-2019-16220In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open…from 0, < 5.2.3+dfsg1-1
- from 0, < 5.2.3+dfsg1-1
- from 0, < 5.2.3+dfsg1-1
- from 0, < 4.1.27+dfsg-0+deb8u1
- from 0, < 5.2.3+dfsg1-1
- from 0, < 5.0.4+dfsg1-1+deb10u1
- MEDIUM6.1CVE-2018-20150In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.from 0, < 5.0.1+dfsg1-1
- MEDIUM6.1CVE-2018-10102Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.from 0, < 4.9.5+dfsg1-1
- MEDIUM6.1CVE-2018-10101Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.from 0, < 4.9.5+dfsg1-1
- from 0, < 3.6.1+dfsg-1~deb7u21
- from 0, < 4.9.5+dfsg1-1
- from 0, < 4.1+dfsg-1+deb8u17
- MEDIUM6.1CVE-2018-5776WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).from 0, < 4.9.2+dfsg-1
- MEDIUM6.1CVE-2017-14726Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.from 0, < 4.8.2+dfsg-1
- MEDIUM6.1CVE-2017-14724Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.from 0, < 4.8.2+dfsg-1
- MEDIUM6.1CVE-2017-14721Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.from 0, < 4.8.2+dfsg-1
- MEDIUM6.1CVE-2017-14720Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.from 0, < 4.8.2+dfsg-1
- from 0, < 4.8.2+dfsg-1
- from 0, < 4.1+dfsg-1+deb8u15
- MEDIUM6.1CVE-2017-9063In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization…from 0, < 4.7.5+dfsg-1
- MEDIUM6.1CVE-2017-9061In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error…from 0, < 4.7.5+dfsg-1
- MEDIUM6.1CVE-2017-6818In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.from 0, < 4.7.3+dfsg-1
- MEDIUM6.1CVE-2017-6815In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.from 0, < 4.7.3+dfsg-1
- MEDIUM6.1CVE-2017-5612Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7…from 0, < 4.7.2+dfsg-1
- MEDIUM6.1CVE-2017-5490Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7…from 0, < 4.7.1+dfsg-1
- from 0, < 4.7.1+dfsg-1
- from 0, < 4.1+dfsg-1+deb8u12
- from 0, < 3.6.1+dfsg-1~deb7u13
- MEDIUM6.1CVE-2016-6634Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary w…from 0, < 4.5+dfsg-1
- MEDIUM6.1CVE-2016-5834Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3…from 0, < 4.5.3+dfsg-1
- MEDIUM6.1CVE-2016-5833Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress befor…from 0, < 4.5.3+dfsg-1
- MEDIUM6.1CVE-2016-4566Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote a…from 0, < 4.5.2+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb7u9
- from 0, < 4.4.1+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb7u12
- from 0, < 4.2.2+dfsg-1
- from 0, < 4.1+dfsg-1+deb8u9
- from 0, < 4.1+dfsg-1+deb8u5
- from 0, < 3.6.1+dfsg-1~deb6u8
- from 0, < 4.3.1+dfsg-1
- from 0, < 5.7.14+dfsg1-0+deb11u1
- from 0
- from 0, < 4.1+dfsg-1+deb8u14
- from 0, < 3.6.1+dfsg-1~deb7u15
- from 0, < 4.7.5+dfsg-2
- from 0, < 5.4.2+dfsg1-1
- MEDIUM5.4CVE-2022-4973WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); functionfrom 0, < 5.7.8+dfsg1-0+deb11u1
- MEDIUM5.4CVE-2023-38000Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Blockfrom 0, < 6.1.6+dfsg1-0+deb12u1
- from 0, < 5.0.19+dfsg1-0+deb10u1
- from 0, < 5.7.11+dfsg1-0+deb11u1
- from 0, < 5.7.11+dfsg1-0+deb11u1
- from 0, < 5.7.5+dfsg1-0+deb11u1
- from 0, < 5.7.3+dfsg1-0+deb11u1
- from 0, < 5.0.14+dfsg1-0+deb10u1
- from 0, < 5.4.2+dfsg1-1
- from 0, < 5.4.1+dfsg1-1
- from 0, < 4.1.30+dfsg-0+deb8u1
- from 0, < 5.4.1+dfsg1-1
- from 0, < 4.7.5+dfsg-2+deb9u6
- from 0, < 5.4.1+dfsg1-1
- MEDIUM5.4CVE-2019-16781In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, wh…from 0, < 5.3.2+dfsg1-1
- MEDIUM5.4CVE-2019-16780WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is…from 0, < 5.3.2+dfsg1-1
- MEDIUM5.4CVE-2019-17674WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.from 0, < 5.2.4+dfsg1-1
- from 0, < 5.2.3+dfsg1-1
- MEDIUM5.4CVE-2018-20153In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly caus…from 0, < 5.0.1+dfsg1-1
- MEDIUM5.4CVE-2018-20149In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intende…from 0, < 5.0.1+dfsg1-1
- MEDIUM5.4CVE-2017-17094wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to…from 0, < 4.9.1+dfsg-1
- MEDIUM5.4CVE-2017-17093wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might al…from 0, < 4.9.1+dfsg-1
- MEDIUM5.4CVE-2017-17092wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might al…from 0, < 4.9.1+dfsg-1
- MEDIUM5.4CVE-2017-14725Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.from 0, < 4.8.2+dfsg-1
- MEDIUM5.4CVE-2017-6817In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.from 0, < 4.7.3+dfsg-1
- from 0, < 4.7.3+dfsg-1
- from 0, < 4.1+dfsg-1+deb8u13
- from 0, < 3.6.1+dfsg-1~deb7u14
- MEDIUM5.4CVE-2015-7989Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbit…from 0, < 4.3.1+dfsg-1
- MEDIUM5.3CVE-2023-5692WordPress Core <= 6.4.3 - Sensitive Information Exposure via redirect_guess_404_permalinkfrom 0
- from 0, < 5.7.11+dfsg1-0+deb11u1
- MEDIUM5.3CVE-2022-43504Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email add…from 0, < 5.7.8+dfsg1-0+deb11u1
- from 0, < 5.7.3+dfsg1-0+deb11u1
- from 0, < 5.4.2+dfsg1-1
- from 0, < 5.0.10+dfsg1-0+deb10u1
- MEDIUM5.3CVE-2019-17671In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.from 0, < 5.2.4+dfsg1-1
- MEDIUM5.3CVE-2017-6514WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a…from 0
- MEDIUM5.3CVE-2017-5610wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assig…from 0, < 4.7.2+dfsg-1
- MEDIUM5.3CVE-2017-5491wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with t…from 0, < 4.7.1+dfsg-1
- MEDIUM5.3CVE-2017-5487wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not pro…from 0, < 4.7.1+dfsg-1
- MEDIUM5.3CVE-2005-1688Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/,…from 0, < 1.5.1-1
- MEDIUM4.9CVE-2017-6816In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.from 0, < 4.7.3+dfsg-1
- MEDIUM4.8CVE-2016-7168Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might…from 0, < 4.6.1+dfsg-1
- from 0, < 4.1+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb7u17
- MEDIUM4.3CVE-2026-3906WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST APIfrom 0, < 6.9.4+dfsg1-1
- from 0, < 5.7.14+dfsg1-0+deb11u1
- from 0, < 6.8.3+dfsg1-0+deb13u1
- from 0, < 5.0.20+dfsg1-0+deb10u1
- from 0, < 5.7.11+dfsg1-0+deb11u1
- from 0, < 5.7.1+dfsg1-1
- MEDIUM4.3CVE-2020-28040WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.from 0, < 5.5.3+dfsg1-1
- MEDIUM4.3CVE-2019-20043In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the…from 0, < 5.3.2+dfsg1-1
- MEDIUM4.3CVE-2016-10148The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checki…from 0, < 4.6.1+dfsg-1
- MEDIUM4.3CVE-2015-5715The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenti…from 0, < 4.3.1+dfsg-1
- LOW3.7CVE-2025-54352WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests.from 0
- LOW3.1CVE-2020-4050set-screen-option filter misuse by plugins leading to privilege escalation in WordPressfrom 0, < 5.4.2+dfsg1-1
- from 0, < 5.4.2+dfsg1-1
- from 0, < 2.2.1-1
- from 0, < 3.6.1+dfsg-1~deb7u4
- from 0, < 3.9.2+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb6u5
- from 0, < 3.0.4+dfsg-1
- —CVE-2012-6112PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outbound HTTP requestsfrom 0, < 3.5.1+dfsg-2
- from 0, < 2.5.0-1
- from 0, < 2.0.10-1etch5
- from 0, < 2.0.10-1etch4
- —CVE-2015-5734Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allo…from 0, < 4.2.4+dfsg-1
- —CVE-2015-5733Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before…from 0, < 4.2.4+dfsg-1
- —CVE-2015-5732Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPre…from 0, < 4.2.4+dfsg-1
- —CVE-2015-5731Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authen…from 0, < 4.2.4+dfsg-1
- —CVE-2015-5730The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time…from 0, < 4.2.4+dfsg-1
- from 0, < 4.2.4+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb6u7
- from 0, < 3.6.1+dfsg-1~deb7u8
- from 0, < 4.1+dfsg-1+deb8u4
- —CVE-2015-3439Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress…from 0, < 4.2+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb7u6
- from 0, < 4.2+dfsg-1
- —CVE-2015-5623WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended acces…from 0, < 4.2.3+dfsg-1
- —CVE-2015-5622Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML…from 0, < 4.2.3+dfsg-1
- —CVE-2015-3440Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web…from 0, < 4.2.1+dfsg-1
- from 0, < 4.2.2+dfsg-1
- from 0, < 4.1+dfsg-1+deb8u2
- —CVE-2014-9039wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset…from 0, < 4.0.1+dfsg-1
- —CVE-2014-9038wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to con…from 0, < 4.0.1+dfsg-1
- —CVE-2014-9037WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an ac…from 0, < 4.0.1+dfsg-1
- —CVE-2014-9036Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows rem…from 0, < 4.0.1+dfsg-1
- —CVE-2014-9035Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.…from 0, < 4.0.1+dfsg-1
- —CVE-2014-9034wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attacker…from 0, < 4.0.1+dfsg-1
- —CVE-2014-9033Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack…from 0, < 4.0.1+dfsg-1
- —CVE-2014-9032Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows…from 0, < 4.0.1+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb7u5
- from 0, < 3.6.1+dfsg-1~deb6u6
- from 0, < 4.0.1+dfsg-1
- —CVE-2003-1598SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via th…from 0, < 1.0.1-1
- —CVE-2014-5266The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the num…from 0, < 3.9.2+dfsg-1
- from 0, < 3.9.2+dfsg-1
- —CVE-2014-5240Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote a…from 0, < 3.9.2+dfsg-1
- —CVE-2014-5205wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF to…from 0, < 3.9.2+dfsg-1
- —CVE-2014-5204wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in th…from 0, < 3.9.2+dfsg-1
- —CVE-2014-5203wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to exe…from 0, < 3.9.2+dfsg-1
- —CVE-2014-0166The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determ…from 0, < 3.8.2+dfsg-1
- from 0, < 3.8.2+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb6u2
- —CVE-2012-6635wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remo…from 0, < 3.4+dfsg-1
- —CVE-2012-6634wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attach…from 0, < 3.4+dfsg-1
- —CVE-2012-6633Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arb…from 0, < 3.4+dfsg-1
- —CVE-2011-5270wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authentica…from 0, < 3.2.1+dfsg-1
- —CVE-2010-5297WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once chan…from 0, < 3.0.1-1
- —CVE-2010-5296wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for t…from 0, < 3.0.2-1
- —CVE-2010-5295Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary…from 0, < 3.0.2-1
- —CVE-2010-5294Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPre…from 0, < 3.0.2-1
- —CVE-2010-5293wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote…from 0, < 3.0.2-1
- —CVE-2013-7233Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earli…from 0
- —CVE-2013-5739The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote…from 0, < 3.6.1+dfsg-1
- —CVE-2013-5738The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability…from 0, < 3.6.1+dfsg-1
- —CVE-2013-4340wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the…from 0, < 3.6.1+dfsg-1
- —CVE-2013-4339WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended red…from 0, < 3.6.1+dfsg-1
- from 0, < 3.6.1+dfsg-1
- from 0, < 3.6.1+dfsg-1~deb6u1
- —CVE-2012-3414Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Imag…from 0, < 3.5.1+dfsg-1
- —CVE-2013-2205The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote att…from 0, < 3.5.2+dfsg-1
- —CVE-2013-2204moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not conside…from 0, < 3.5.2+dfsg-1
- —CVE-2013-2203WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an inv…from 0, < 3.5.2+dfsg-1
- —CVE-2013-2202WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity de…from 0, < 3.5.2+dfsg-1
- —CVE-2013-2201Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML…from 0, < 3.5.2+dfsg-1
- —CVE-2013-2200WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restri…from 0, < 3.5.2+dfsg-1
- —CVE-2013-2199The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related t…from 0, < 3.5.2+dfsg-1
- —CVE-2013-0237Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other pro…from 0, < 3.5.1+dfsg-1
- —CVE-2013-0236Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML…from 0, < 3.5.1+dfsg-1
- —CVE-2013-0235The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attac…from 0, < 3.5.1+dfsg-1
- from 0, < 3.5.2+dfsg-1~deb6u1
- from 0, < 3.5.2+dfsg-1
- —CVE-2012-5868WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote…from 0
- —CVE-2012-4448Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authenticati…from 0, < 3.5.1+dfsg-2
- —CVE-2012-4422wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges…from 0, < 3.4.2+dfsg-1
- —CVE-2012-4421The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allow…from 0, < 3.4.2+dfsg-1
- —CVE-2010-5106The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote a…from 0, < 3.0.3-1
- —CVE-2012-3385WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or co…from 0, < 3.4.1+dfsg-1
- —CVE-2012-3384Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentic…from 0, < 3.4.1+dfsg-1
- —CVE-2012-3383The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not…from 0, < 3.4.1+dfsg-1
- —CVE-2011-4957The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the…from 0, < 3.2.1+dfsg-1
- —CVE-2011-4956Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspe…from 0, < 3.2.1+dfsg-1
- —CVE-2012-2404wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site…from 0, < 3.3.2+dfsg-1
- —CVE-2012-2403wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote…from 0, < 3.3.2+dfsg-1
- —CVE-2012-2402wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and d…from 0, < 3.3.2+dfsg-1
- —CVE-2012-2401Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of th…from 0, < 3.3.2+dfsg-1
- —CVE-2012-2400Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.from 0, < 3.3.2+dfsg-1
- —CVE-2012-2399Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Imag…from 0, < 3.3.2+dfsg-1
- —CVE-2012-0937wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to e…from 0
- —CVE-2012-0782Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earli…from 0
- —CVE-2011-4899wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database se…from 0
- —CVE-2011-4898wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lack…from 0
- —CVE-2012-0287Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows re…from 0, < 3.3.1+dfsg-1
- —CVE-2011-3130wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy que…from 0, < 3.2.1+dfsg-1
- —CVE-2011-3129The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings,…from 0, < 3.2.1+dfsg-1
- —CVE-2011-3128WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain s…from 0, < 3.2.1+dfsg-1
- —CVE-2011-3127WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-part…from 0, < 3.2.1+dfsg-1
- —CVE-2011-3126WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects.from 0, < 3.2.1+dfsg-1
- —CVE-2011-3125Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various sec…from 0, < 3.2.1+dfsg-1
- from 0, < 3.3.2+dfsg-1~squeeze1
- from 0, < 3.2.1+dfsg-1
- —CVE-2011-0701wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2)…from 0, < 3.0.5+dfsg-1
- from 0, < 3.0.5+dfsg-1
- from 0, < 3.0.5+dfsg-0+squeeze1
- —CVE-2010-4536Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary…from 0, < 3.0.4+dfsg-1
- from 0, < 2.5.1-11+lenny4
- from 0, < 3.0.2-1
- —CVE-2010-0682WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p…from 0, < 2.9.2-1
- —CVE-2009-3891Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject a…from 0, < 2.8.6-1
- —CVE-2009-3890Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a cer…from 0, < 2.8.6-1
- —CVE-2009-3622Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CP…from 0, < 2.8.5-1
- —CVE-2008-7220Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests…from 0, < 2.5.0-2
- —CVE-2009-2854Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additio…from 0, < 2.8.3-1
- —CVE-2009-2853Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php,…from 0, < 2.8.3-1
- —CVE-2009-2851Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitra…from 0, < 2.8.3-1
- —CVE-2009-2762wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly…from 0, < 2.8.3-2
- —CVE-2009-2432WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, whi…from 0, < 2.8.3-1
- —CVE-2009-2431WordPress 2.7.1 places the username of a post's author in an HTML comment, which allows remote attackers to obtain sensitive information by…from 0, < 2.8.3-1
- —CVE-2009-2336The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whe…from 0, < 2.8.3-1
- —CVE-2009-2335WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists,…from 0, < 2.8.3-1
- —CVE-2009-2334wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of…from 0, < 2.8.3-1
- —CVE-2008-6767wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of servi…from 0, < 2.8.3-1
- —CVE-2008-6762Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary we…from 0, < 2.8.3-1
- —CVE-2008-5695wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option…from 0, < 2.3.2
- —CVE-2008-5278Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before…from 0, < 2.5.1-11
- —CVE-2008-5113WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to cond…from 0, < 2.5.1-10
- —CVE-2008-4796The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4…from 0, < 2.5.1-9
- —CVE-2008-4769Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, a…from 0, < 2.5.1-1
- —CVE-2008-4106WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of…from 0, < 2.5.1-8
- —CVE-2008-3747The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force…from 0, < 2.5.1-6
- —CVE-2008-2392Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute…from 0, < 2.5.1-4
- —CVE-2008-2146wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remo…from 0, < 2.2.3-1
- —CVE-2008-2068Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified ve…from 0, < 2.5.1-1
- —CVE-2008-1930The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allo…from 0, < 2.5.1-1
- —CVE-2008-0664The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of o…from 0, < 2.3.3-1
- —CVE-2008-0191WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive information via an invalid p parameter in an rss2 action to the defau…from 0
- —CVE-2008-0192Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or…from 0, < 2.0.10-1
- —CVE-2008-0193Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remo…from 0, < 2.1.0-1
- —CVE-2008-0196Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a ..from 0, < 2.3.3-1
- —CVE-2008-0195WordPress 2.0.11 and earlier allows remote attackers to obtain sensitive information via an empty value of the page parameter to certain PH…from 0, < 2.1.0-1
- —CVE-2008-0194Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delet…from 0, < 2.1.0-1
- —CVE-2007-6318SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL comman…from 0, < 2.3.2-1
- —CVE-2007-5710Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web sc…from 0, < 2.3.1-1
- —CVE-2007-5106Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML…from 0, < 2.0.2-1
- —CVE-2007-5105Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web scri…from 0, < 2.0.4-1
- —CVE-2007-4894Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to exec…from 0, < 2.2.3-1
- —CVE-2007-4893wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_…from 0, < 2.2.3-1
- —CVE-2007-4483Cross-site scripting (XSS) vulnerability in index.php in the WordPress Classic 1.5 theme in WordPress before 2.1.3 allows remote attackers…from 0, < 2.1.3-1
- —CVE-2007-4153Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web sc…from 0, < 2.2.2-1
- —CVE-2007-4154SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands…from 0, < 2.2.2-1
- —CVE-2007-3639WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1)…from 0, < 2.2.2-1
- —CVE-2007-3544Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authentica…from 0, < 2.2.2-1
- —CVE-2007-3543Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload…from 0, < 2.2.1-1
- —CVE-2007-3238Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators…from 0, < 2.2.2-1
- —CVE-2007-3140SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parame…from 0, < 2.2.1-1
- from 0, < 2.2-1
- from 0, < 2.0.10-1etch1
- —CVE-2007-2714Unspecified vulnerability in akismet.php in Matt Mullenweg Akismet before 2.0.2, a WordPress plugin, has unknown impact and attack vectors.from 0, < 2.2-1
- —CVE-2007-2627Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote a…from 0, < 2.2.2-1
- —CVE-2007-1894Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject…from 0, < 2.1.3-1
- —CVE-2007-1897SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute a…from 0, < 2.1.3-1
- —CVE-2007-1893xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intende…from 0, < 2.1.3-1
- —CVE-2007-1732Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrator…from 0, < 2.1.3-1
- from 0, < 2.0.10-1
- from 0, < 2.1.3-1
- from 0, < 2.0.10-1etch3
- from 0, < 2.2.2-1
- —CVE-2007-1244Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privile…from 0, < 2.1.2-1
- —CVE-2007-1230Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to…from 0, < 2.1.2-1
- from 0, < 2.1.1-1
- from 0, < 2.0.9-1
- —CVE-2007-0541WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback…from 0, < 2.1.0-1
- from 0, < 2.1.0-1
- —CVE-2007-0539The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption)…from 0, < 2.1.0-1
- from 0, < 2.0.10-1etch2
- from 0, < 2.0.8-1
- from 0, < 2.0.8-1
- —CVE-2007-0233wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a v…from 0, < 2.1.0-1
- —CVE-2007-0109wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obt…from 0, < 2.0.6-1
- —CVE-2007-0106Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrar…from 0, < 2.0.6-1
- —CVE-2007-0107WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remot…from 0, < 2.0.6-1
- —CVE-2006-6808Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web scrip…from 0, < 2.0.6-1
- —CVE-2006-5705Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read…from 0, < 2.0.5-0.1
- —CVE-2006-4743WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensitive information via a direct request for (1) 404.php, (2) akismet.php…from 0, < 2.0.5-0.1
- —CVE-2006-4208Directory traversal vulnerability in wp-db-backup.php in Skippy WP-DB-Backup plugin for WordPress 1.7 and earlier allows remote authenticat…from 0, < 2.0.5-0.1
- —CVE-2006-4028Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors.from 0, < 2.0.4-1
- —CVE-2006-3390WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-…from 0, < 2.0.4-1
- —CVE-2006-3389index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged para…from 0, < 2.0.4-1
- —CVE-2006-2702vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP…from 0, < 2.0.3-1
- —CVE-2006-2667Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by insertin…from 0, < 2.0.3-1
- —CVE-2006-1796Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly…from 0, < 2.0.1
- —CVE-2006-1263Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web…from 0, < 2.0.2-1
- —CVE-2006-1012SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL co…from 0, < 2.0.1-1
- —CVE-2006-0986WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) te…from 0, < 2.0.2-1
- —CVE-2006-0985Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attacke…from 0, < 2.0.2-1
- —CVE-2006-0733Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable a…from 0
- —CVE-2005-4600Directory traversal vulnerability in tiny_mce_gzip.php in TinyMCE Compressor PHP before 1.06 allows remote attackers to read or include arb…from 0, < 2.5.1-3
- —CVE-2005-4463WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-con…from 0, < 1.5.2-1
- —CVE-2005-2612Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_la…from 0, < 1.5.2-1
- —CVE-2005-2109wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via th…from 0, < 1.5.1.3-1
- —CVE-2005-2107Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary…from 0, < 1.5.1.3-1
- —CVE-2005-2110WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1"…from 0, < 1.5.1.3-1
- —CVE-2005-2108SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via…from 0, < 1.5.1.3-1
- —CVE-2005-1810SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands…from 0, < 1.5.1.2-1
- —CVE-2005-1687SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via…from 0, < 1.5.1-1
- —CVE-2004-1584CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify…from 0, < 1.2.1-1.1
- —CVE-2004-1559Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the…from 0, < 1.2.2-1.1