from 0, < 6.4.2+dfsg1-1
CRITICAL9.8CVE-2021-44223WordPress before 5.8 lacks support for the Update URI plugin header. from 0
CRITICAL9.8Insecure Deserialization of untrusted data in rmccue/requests
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, whic…
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 4.7.19+dfsg-1+deb9u1
CRITICAL9.8wordpress - security update
from 0, < 5.0.11+dfsg1-0+deb10u1
CRITICAL9.8wordpress - security update
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 4.1.29+dfsg-0+deb8u1
CRITICAL9.8wordpress - security update
from 0, < 5.3.2+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 5.2.4+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 5.0.17+dfsg1-0+deb10u1
CRITICAL9.8wordpress - security update
from 0, < 4.7.18+dfsg-1+deb9u1
CRITICAL9.8wordpress - security update
from 0, < 5.2.4+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 4.1.28+dfsg-0+deb8u1
CRITICAL9.8In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMed…
from 0, < 5.0.1+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 4.8.3+dfsg-1
CRITICAL9.8wordpress - security update
from 0, < 4.1+dfsg-1+deb8u16
CRITICAL9.8wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u18
CRITICAL9.8Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly addr…
from 0, < 4.8.2+dfsg-1
CRITICAL9.8SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbi…
from 0, < 4.7.2+dfsg-1
CRITICAL9.8Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authenticatio…
from 0, < 2.5.0-1
CRITICAL9.1is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine w…
from 0, < 5.5.3+dfsg1-1
HIGH8.8PHP file upload bypass via Plugin installer
from 0, < 5.7.11+dfsg1-0+deb11u1
HIGH8.8SQL injection in WordPress
from 0, < 5.7.5+dfsg1-0+deb11u1
HIGH8.8WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to C…
from 0, < 5.2.4+dfsg1-1
HIGH8.8WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default con…
from 0, < 5.1.1+dfsg1-1
HIGH8.8wordpress - security update
from 0, < 5.0.1+dfsg1-1
HIGH8.8wordpress - security update
from 0, < 4.1.26+dfsg-1+deb8u1
HIGH8.8WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution.
from 0, < 4.9.1+dfsg-1
HIGH8.8wordpress - security update
from 0, < 4.9.7+dfsg1-1
HIGH8.8wordpress - security update
from 0, < 4.7.5+dfsg-2+deb9u4
HIGH8.8wordpress - security update
from 0, < 4.9.1+dfsg-1
HIGH8.8wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u20
HIGH8.8In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is…
from 0, < 4.7.5+dfsg-1
HIGH8.8Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote at…
from 0, < 4.7.1+dfsg-1
HIGH8.8Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecifi…
from 0, < 4.7.1+dfsg-1
HIGH8.8Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPr…
from 0, < 4.5+dfsg-1
HIGH8.6wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u16
HIGH8.6wordpress - security update
from 0, < 4.7.5+dfsg-1
HIGH8.6In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
from 0, < 4.7.5+dfsg-1
HIGH8.6wordpress - security update
from 0, < 4.5+dfsg-1
HIGH8.6wordpress - security update
from 0, < 4.1+dfsg-1+deb8u10
HIGH8.6The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request…
from 0, < 4.4.2+dfsg-1
HIGH8.1Password reset links invalidation issue in WordPress
from 0, < 5.4.1+dfsg1-1
HIGH7.5SQL injection in WordPress
from 0, < 5.7.5+dfsg1-0+deb11u1
HIGH7.5SQL injection in WordPress
from 0, < 4.7.22+dfsg-0+deb9u1
HIGH7.5SQL injection in WordPress
from 0, < 5.0.15+dfsg1-0+deb10u1
HIGH7.5WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
from 0, < 5.5.3+dfsg1-1
HIGH7.5Unauthenticated disclosure of certain private posts in WordPress
from 0, < 5.4.1+dfsg1-1
HIGH7.5WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
from 0, < 5.2.4+dfsg1-1
HIGH7.5In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual confi…
from 0, < 5.0.1+dfsg1-1
HIGH7.5In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of regis…
from 0
HIGH7.5WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values…
from 0
HIGH7.5Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.
from 0, < 4.8.2+dfsg-1
HIGH7.5Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip compone…
from 0, < 4.8.2+dfsg-1
HIGH7.5In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
from 0, < 4.7.5+dfsg-1
HIGH7.5The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before…
from 0, < 4.7.2+dfsg-1
HIGH7.5wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, whi…
from 0, < 4.7.1+dfsg-1
HIGH7.5WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.
from 0, < 4.5.3+dfsg-1
HIGH7.5WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.
from 0, < 4.5.3+dfsg-1
HIGH7.5WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspe…
from 0, < 4.5.3+dfsg-1
HIGH7.5wordpress - security update
from 0, < 4.5.3+dfsg-1
HIGH7.5wordpress - security update
from 0, < 4.1+dfsg-1+deb8u18
HIGH7.5WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, r…
from 0, < 4.5.3+dfsg-1
HIGH7.5wordpress - security update
from 0, < 4.5.3+dfsg-1
HIGH7.5wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u11
HIGH7.4wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u10
HIGH7.4wordpress - security update
from 0, < 3.6.1+dfsg-1~deb6u9
HIGH7.4wordpress - security update
from 0, < 4.4.2+dfsg-1
HIGH7.2Authenticated Object Injection in Multisites in WordPress
from 0, < 5.7.5+dfsg1-0+deb11u1
HIGH7.2In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files.
from 0
HIGH7.1Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows rem…
from 0, < 4.6.1+dfsg-1
MEDIUM6.8Authenticated XSS via media attachment page in WordPress
from 0, < 4.1.31+dfsg-0+deb8u1
MEDIUM6.8Authenticated XSS via media attachment page in WordPress
from 0, < 5.4.2+dfsg1-1
MEDIUM6.5WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
from 0, < 5.7.14+dfsg1-0+deb11u1
MEDIUM6.5WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
from 0, < 6.1.9+dfsg1-0+deb12u1
MEDIUM6.5WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
from 0, < 5.7.14+dfsg1-0+deb11u1
MEDIUM6.5A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts.
from 0, < 3.2.1+dfsg-1
MEDIUM6.5WordPress Authenticated XXE attack when installation is running PHP 8
from 0, < 5.0.12+dfsg1-0+deb10u1
MEDIUM6.5WordPress Authenticated XXE attack when installation is running PHP 8
from 0, < 4.7.20+dfsg-1+deb9u1
MEDIUM6.5WordPress Authenticated XXE attack when installation is running PHP 8
from 0, < 5.7.1+dfsg1-1
MEDIUM6.5WordPress through 5.0.3 allows Path Traversal in wp_crop_image().
from 0
MEDIUM6.5In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
from 0, < 5.0.1+dfsg1-1
MEDIUM6.5wordpress - security update
from 0, < 4.1.25+dfsg-1+deb8u1
MEDIUM6.5wordpress - security update
from 0, < 5.0.1+dfsg1-1
MEDIUM6.5wordpress - security update
from 0, < 4.7.5+dfsg-2+deb9u5
MEDIUM6.5WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes),…
from 0, < 4.8.2+dfsg-2
MEDIUM6.5In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to…
from 0, < 4.7.3+dfsg-1
MEDIUM6.5Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress be…
from 0, < 4.6.1+dfsg-1
MEDIUM6.5WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote aut…
from 0, < 2.0.5-0.1
MEDIUM6.5wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified…
from 0, < 2.0.5-0.1
MEDIUM6.4WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API
from 0, < 5.7.14+dfsg1-0+deb11u1
MEDIUM6.3Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade pack…
from 0, < 4.6.1+dfsg-1
MEDIUM6.1WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due…
from 0, < 6.1.9+dfsg1-0+deb12u1
MEDIUM6.1Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary scr…
from 0, < 5.7.8+dfsg1-0+deb11u1
MEDIUM6.1wordpress - security update
from 0, < 5.7.8+dfsg1-0+deb11u1
MEDIUM6.1wordpress - security update
from 0, < 5.7.8+dfsg1-0+deb11u1
MEDIUM6.1WordPress before 5.5.2 allows stored XSS via post slugs.
from 0, < 5.5.3+dfsg1-1
MEDIUM6.1WordPress before 5.5.2 allows XSS associated with global variables.
from 0, < 5.5.3+dfsg1-1
MEDIUM6.1Cross-site scripting in stats method (object cache) in WordPress
from 0, < 5.4.1+dfsg1-1
MEDIUM6.1In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a…
from 0, < 5.3.2+dfsg1-1
MEDIUM6.1WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
from 0, < 5.2.4+dfsg1-1
MEDIUM6.1WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site…
from 0, < 5.2.3+dfsg1-1
MEDIUM6.1WordPress before 5.2.3 allows reflected XSS in the dashboard.
from 0, < 5.2.3+dfsg1-1
MEDIUM6.1In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open…
from 0, < 5.2.3+dfsg1-1
MEDIUM6.1WordPress before 5.2.3 allows XSS in shortcode previews.
from 0, < 5.2.3+dfsg1-1
MEDIUM6.1WordPress before 5.2.3 allows XSS in stored comments.
from 0, < 5.2.3+dfsg1-1
MEDIUM6.1wordpress - security update
from 0, < 4.1.27+dfsg-0+deb8u1
MEDIUM6.1wordpress - security update
from 0, < 5.2.3+dfsg1-1
MEDIUM6.1wordpress - security update
from 0, < 5.0.4+dfsg1-1+deb10u1
MEDIUM6.1In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.
from 0, < 5.0.1+dfsg1-1
MEDIUM6.1Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
from 0, < 4.9.5+dfsg1-1
MEDIUM6.1Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
from 0, < 4.9.5+dfsg1-1
MEDIUM6.1wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u21
MEDIUM6.1wordpress - security update
from 0, < 4.9.5+dfsg1-1
MEDIUM6.1wordpress - security update
from 0, < 4.1+dfsg-1+deb8u17
MEDIUM6.1WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
from 0, < 4.9.2+dfsg-1
MEDIUM6.1Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
from 0, < 4.8.2+dfsg-1
MEDIUM6.1Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
from 0, < 4.8.2+dfsg-1
MEDIUM6.1Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
from 0, < 4.8.2+dfsg-1
MEDIUM6.1Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
from 0, < 4.8.2+dfsg-1
MEDIUM6.1wordpress - security update
from 0, < 4.8.2+dfsg-1
MEDIUM6.1wordpress - security update
from 0, < 4.1+dfsg-1+deb8u15
MEDIUM6.1In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization…
from 0, < 4.7.5+dfsg-1
MEDIUM6.1In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error…
from 0, < 4.7.5+dfsg-1
MEDIUM6.1In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.
from 0, < 4.7.3+dfsg-1
MEDIUM6.1In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.
from 0, < 4.7.3+dfsg-1
MEDIUM6.1Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7…
from 0, < 4.7.2+dfsg-1
MEDIUM6.1Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7…
from 0, < 4.7.1+dfsg-1
MEDIUM6.1wordpress - security update
from 0, < 4.7.1+dfsg-1
MEDIUM6.1wordpress - security update
from 0, < 4.1+dfsg-1+deb8u12
MEDIUM6.1wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u13
MEDIUM6.1Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary w…
from 0, < 4.5+dfsg-1
MEDIUM6.1Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3…
from 0, < 4.5.3+dfsg-1
MEDIUM6.1Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress befor…
from 0, < 4.5.3+dfsg-1
MEDIUM6.1Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote a…
from 0, < 4.5.2+dfsg-1
MEDIUM6.1wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u9
MEDIUM6.1wordpress - security update
from 0, < 4.4.1+dfsg-1
MEDIUM6.1wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u12
MEDIUM6.1wordpress - security update
from 0, < 4.2.2+dfsg-1
MEDIUM6.1wordpress - security update
from 0, < 4.1+dfsg-1+deb8u9
MEDIUM6.1wordpress - security update
from 0, < 4.1+dfsg-1+deb8u5
MEDIUM6.1wordpress - security update
from 0, < 3.6.1+dfsg-1~deb6u8
MEDIUM6.1wordpress - security update
from 0, < 4.3.1+dfsg-1
MEDIUM5.9WordPress <= 6.8.2 - (Author+) Cross Site Scripting (XSS) Vulnerability
from 0, < 5.7.14+dfsg1-0+deb11u1
MEDIUM5.9WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding
from 0
MEDIUM5.9wordpress - security update
from 0, < 4.1+dfsg-1+deb8u14
MEDIUM5.9wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u15
MEDIUM5.9wordpress - security update
from 0, < 4.7.5+dfsg-2
MEDIUM5.7Open redirect in wp_validate_redirect() in WordPress
from 0, < 5.4.2+dfsg1-1
MEDIUM5.4WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
from 0, < 5.7.8+dfsg1-0+deb11u1
MEDIUM5.4Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block
from 0, < 6.1.6+dfsg1-0+deb12u1
MEDIUM5.4WordPress Core < 6.2.1 - Directory Traversal
from 0, < 5.0.19+dfsg1-0+deb10u1
MEDIUM5.4WordPress Core < 6.2.1 - Directory Traversal
from 0, < 5.7.11+dfsg1-0+deb11u1
MEDIUM5.4WordPress Core < 6.2.1 - Directory Traversal
from 0, < 5.7.11+dfsg1-0+deb11u1
MEDIUM5.4Stored XSS in WordPress
from 0, < 5.7.5+dfsg1-0+deb11u1
MEDIUM5.4Authenticated cross-site scripting (XSS) in WordPress editor
from 0, < 5.7.3+dfsg1-0+deb11u1
MEDIUM5.4Authenticated cross-site scripting (XSS) in WordPress editor
from 0, < 5.0.14+dfsg1-0+deb10u1
MEDIUM5.4Authenticated XSS through embed block in WordPress
from 0, < 5.4.2+dfsg1-1
MEDIUM5.4Cross-site scripting (XSS) in Search block in WordPress
from 0, < 5.4.1+dfsg1-1
MEDIUM5.4Specially crafted filenames in WordPress leading to XSS
from 0, < 4.1.30+dfsg-0+deb8u1
MEDIUM5.4Specially crafted filenames in WordPress leading to XSS
from 0, < 5.4.1+dfsg1-1
MEDIUM5.4Authenticated cross-site scripting (XSS) in WordPress Customizer
from 0, < 4.7.5+dfsg-2+deb9u6
MEDIUM5.4Authenticated cross-site scripting (XSS) in WordPress Customizer
from 0, < 5.4.1+dfsg1-1
MEDIUM5.4In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, wh…
from 0, < 5.3.2+dfsg1-1
MEDIUM5.4WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is…
from 0, < 5.3.2+dfsg1-1
MEDIUM5.4WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
from 0, < 5.2.4+dfsg1-1
MEDIUM5.4WordPress before 5.2.3 allows XSS in post previews by authenticated users.
from 0, < 5.2.3+dfsg1-1
MEDIUM5.4In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly caus…
from 0, < 5.0.1+dfsg1-1
MEDIUM5.4In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intende…
from 0, < 5.0.1+dfsg1-1
MEDIUM5.4wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to…
from 0, < 4.9.1+dfsg-1
MEDIUM5.4wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might al…
from 0, < 4.9.1+dfsg-1
MEDIUM5.4wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might al…
from 0, < 4.9.1+dfsg-1
MEDIUM5.4Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.
from 0, < 4.8.2+dfsg-1
MEDIUM5.4In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
from 0, < 4.7.3+dfsg-1
MEDIUM5.4wordpress - security update
from 0, < 4.7.3+dfsg-1
MEDIUM5.4wordpress - security update
from 0, < 4.1+dfsg-1+deb8u13
MEDIUM5.4wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u14
MEDIUM5.4Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbit…
from 0, < 4.3.1+dfsg-1
MEDIUM5.3WordPress Core <= 6.4.3 - Sensitive Information Exposure via redirect_guess_404_permalink
from 0
MEDIUM5.3WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure
from 0, < 5.7.11+dfsg1-0+deb11u1
MEDIUM5.3Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email add…
from 0, < 5.7.8+dfsg1-0+deb11u1
MEDIUM5.3Information Disclosure in wp_die() via JSONP in wordpress
from 0, < 5.7.3+dfsg1-0+deb11u1
MEDIUM5.3wordpress - security update
from 0, < 5.4.2+dfsg1-1
MEDIUM5.3wordpress - security update
from 0, < 5.0.10+dfsg1-0+deb10u1
MEDIUM5.3In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
from 0, < 5.2.4+dfsg1-1
MEDIUM5.3WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a…
from 0
MEDIUM5.3wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assig…
from 0, < 4.7.2+dfsg-1
MEDIUM5.3wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with t…
from 0, < 4.7.1+dfsg-1
MEDIUM5.3wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not pro…
from 0, < 4.7.1+dfsg-1
MEDIUM5.3Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/,…
from 0, < 1.5.1-1
MEDIUM4.9In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.
from 0, < 4.7.3+dfsg-1
MEDIUM4.8Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might…
from 0, < 4.6.1+dfsg-1
MEDIUM4.7wordpress - security update
from 0, < 4.1+dfsg-1
MEDIUM4.7wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u17
MEDIUM4.3WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API
from 0, < 6.9.4+dfsg1-1
MEDIUM4.3WordPress <= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability
from 0, < 5.7.14+dfsg1-0+deb11u1
MEDIUM4.3WordPress <= 6.8.2 - (Contributor+) Sensitive Data Exposure Vulnerability
from 0, < 6.8.3+dfsg1-0+deb13u1
MEDIUM4.3WordPress < 6.3.2 is vulnerable to Broken Access Control
from 0, < 5.0.20+dfsg1-0+deb10u1
MEDIUM4.3WordPress < 6.3.2 is vulnerable to Broken Access Control
from 0, < 5.7.11+dfsg1-0+deb11u1
MEDIUM4.3WordPress Authenticated disclosure of password-protected posts and pages
from 0, < 5.7.1+dfsg1-1
MEDIUM4.3WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
from 0, < 5.5.3+dfsg1-1
MEDIUM4.3In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the…
from 0, < 5.3.2+dfsg1-1
MEDIUM4.3The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checki…
from 0, < 4.6.1+dfsg-1
MEDIUM4.3The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenti…
from 0, < 4.3.1+dfsg-1
LOW3.7WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests.
from 0
LOW3.1set-screen-option filter misuse by plugins leading to privilege escalation in WordPress
from 0, < 5.4.2+dfsg1-1
LOW2.4Authenticated self-XSS via theme uploads in WordPress
from 0, < 5.4.2+dfsg1-1
—libphp-phpmailer
from 0, < 2.2.1-1
—wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u4
—wordpress - security update
from 0, < 3.9.2+dfsg-1
—wordpress - security update
from 0, < 3.6.1+dfsg-1~deb6u5
—Moodle Cross-site Scripting vulnerability in the KSES text cleaning filter
from 0, < 3.0.4+dfsg-1
—PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outbound HTTP requests
from 0, < 3.5.1+dfsg-2
—wordpress - regression fix
from 0, < 2.5.0-1
—wordpress - regression fix
from 0, < 2.0.10-1etch5
—wordpress - regression fix
from 0, < 2.0.10-1etch4
—Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allo…
from 0, < 4.2.4+dfsg-1
—Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before…
from 0, < 4.2.4+dfsg-1
—Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPre…
from 0, < 4.2.4+dfsg-1
—Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authen…
from 0, < 4.2.4+dfsg-1
—The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time…
from 0, < 4.2.4+dfsg-1
—wordpress - security update
from 0, < 4.2.4+dfsg-1
—wordpress - security update
from 0, < 3.6.1+dfsg-1~deb6u7
—wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u8
—wordpress - security update
from 0, < 4.1+dfsg-1+deb8u4
—Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress…
from 0, < 4.2+dfsg-1
—wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u6
—wordpress - security update
from 0, < 4.2+dfsg-1
—WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended acces…
from 0, < 4.2.3+dfsg-1
—Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML…
from 0, < 4.2.3+dfsg-1
—Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web…
from 0, < 4.2.1+dfsg-1
—wordpress - security update
from 0, < 4.2.2+dfsg-1
—wordpress - security update
from 0, < 4.1+dfsg-1+deb8u2
—wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset…
from 0, < 4.0.1+dfsg-1
—wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to con…
from 0, < 4.0.1+dfsg-1
—WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an ac…
from 0, < 4.0.1+dfsg-1
—Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows rem…
from 0, < 4.0.1+dfsg-1
—Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.…
from 0, < 4.0.1+dfsg-1
—wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attacker…
from 0, < 4.0.1+dfsg-1
—Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack…
from 0, < 4.0.1+dfsg-1
—Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows…
from 0, < 4.0.1+dfsg-1
—wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u5
—wordpress - security update
from 0, < 3.6.1+dfsg-1~deb6u6
—wordpress - security update
from 0, < 4.0.1+dfsg-1
—SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via th…
from 0, < 1.0.1-1
—The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the num…
from 0, < 3.9.2+dfsg-1
—drupal7 - security update
from 0, < 3.9.2+dfsg-1
—Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote a…
from 0, < 3.9.2+dfsg-1
—wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF to…
from 0, < 3.9.2+dfsg-1
—wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in th…
from 0, < 3.9.2+dfsg-1
—wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to exe…
from 0, < 3.9.2+dfsg-1
—The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determ…
from 0, < 3.8.2+dfsg-1
—wordpress - security update
from 0, < 3.8.2+dfsg-1
—wordpress - security update
from 0, < 3.6.1+dfsg-1~deb6u2
—wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remo…
from 0, < 3.4+dfsg-1
—wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attach…
from 0, < 3.4+dfsg-1
—Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arb…
from 0, < 3.4+dfsg-1
—wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authentica…
from 0, < 3.2.1+dfsg-1
—WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once chan…
from 0, < 3.0.1-1
—wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for t…
from 0, < 3.0.2-1
—Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary…
from 0, < 3.0.2-1
—Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPre…
from 0, < 3.0.2-1
—wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote…
from 0, < 3.0.2-1
—Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earli…
from 0
—The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote…
from 0, < 3.6.1+dfsg-1
—The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability…
from 0, < 3.6.1+dfsg-1
—wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the…
from 0, < 3.6.1+dfsg-1
—WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended red…
from 0, < 3.6.1+dfsg-1
—wordpress - several
from 0, < 3.6.1+dfsg-1
—wordpress - several
from 0, < 3.6.1+dfsg-1~deb6u1
—Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Imag…
from 0, < 3.5.1+dfsg-1
—The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote att…
from 0, < 3.5.2+dfsg-1
—moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not conside…
from 0, < 3.5.2+dfsg-1
—WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an inv…
from 0, < 3.5.2+dfsg-1
—WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity de…
from 0, < 3.5.2+dfsg-1
—Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML…
from 0, < 3.5.2+dfsg-1
—WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restri…
from 0, < 3.5.2+dfsg-1
—The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related t…
from 0, < 3.5.2+dfsg-1
—Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other pro…
from 0, < 3.5.1+dfsg-1
—Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML…
from 0, < 3.5.1+dfsg-1
—The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attac…
from 0, < 3.5.1+dfsg-1
—wordpress - several
from 0, < 3.5.2+dfsg-1~deb6u1
—wordpress - several
from 0, < 3.5.2+dfsg-1
—WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote…
from 0
—Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authenticati…
from 0, < 3.5.1+dfsg-2
—wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges…
from 0, < 3.4.2+dfsg-1
—The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allow…
from 0, < 3.4.2+dfsg-1
—The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote a…
from 0, < 3.0.3-1
—WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or co…
from 0, < 3.4.1+dfsg-1
—Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentic…
from 0, < 3.4.1+dfsg-1
—The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not…
from 0, < 3.4.1+dfsg-1
—The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the…
from 0, < 3.2.1+dfsg-1
—Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspe…
from 0, < 3.2.1+dfsg-1
—wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site…
from 0, < 3.3.2+dfsg-1
—wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote…
from 0, < 3.3.2+dfsg-1
—wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and d…
from 0, < 3.3.2+dfsg-1
—Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of th…
from 0, < 3.3.2+dfsg-1
—Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.
from 0, < 3.3.2+dfsg-1
—Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Imag…
from 0, < 3.3.2+dfsg-1
—wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to e…
from 0
—Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earli…
from 0
—wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database se…
from 0
—wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lack…
from 0
—Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows re…
from 0, < 3.3.1+dfsg-1
—wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy que…
from 0, < 3.2.1+dfsg-1
—The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings,…
from 0, < 3.2.1+dfsg-1
—WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain s…
from 0, < 3.2.1+dfsg-1
—WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-part…
from 0, < 3.2.1+dfsg-1
—WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects.
from 0, < 3.2.1+dfsg-1
—Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various sec…
from 0, < 3.2.1+dfsg-1
—wordpress - several
from 0, < 3.3.2+dfsg-1~squeeze1
—wordpress - several
from 0, < 3.2.1+dfsg-1
—wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2)…
from 0, < 3.0.5+dfsg-1
—wordpress - several
from 0, < 3.0.5+dfsg-1
—wordpress - several
from 0, < 3.0.5+dfsg-0+squeeze1
—Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary…
from 0, < 3.0.4+dfsg-1
—wordpress - SQL injection
from 0, < 2.5.1-11+lenny4
—wordpress - SQL injection
from 0, < 3.0.2-1
—WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p…
from 0, < 2.9.2-1
—Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject a…
from 0, < 2.8.6-1
—Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a cer…
from 0, < 2.8.6-1
—Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CP…
from 0, < 2.8.5-1
—Unspecified vulnerability in Prototype JavaScript framework (prototypejs) before 1.6.0.2 allows attackers to make "cross-site ajax requests…
from 0, < 2.5.0-2
—Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additio…
from 0, < 2.8.3-1
—Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php,…
from 0, < 2.8.3-1
—Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitra…
from 0, < 2.8.3-1
—wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly…
from 0, < 2.8.3-2
—WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, whi…
from 0, < 2.8.3-1
—WordPress 2.7.1 places the username of a post's author in an HTML comment, which allows remote attackers to obtain sensitive information by…
from 0, < 2.8.3-1
—The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whe…
from 0, < 2.8.3-1
—WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists,…
from 0, < 2.8.3-1
—wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of…
from 0, < 2.8.3-1
—wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of servi…
from 0, < 2.8.3-1
—Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary we…
from 0, < 2.8.3-1
—wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option…
from 0, < 2.3.2
—Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before…
from 0, < 2.5.1-11
—WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to cond…
from 0, < 2.5.1-10
—The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4…
from 0, < 2.5.1-9
—Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, a…
from 0, < 2.5.1-1
—WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of…
from 0, < 2.5.1-8
—The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force…
from 0, < 2.5.1-6
—Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute…
from 0, < 2.5.1-4
—wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remo…
from 0, < 2.2.3-1
—Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified ve…
from 0, < 2.5.1-1
—The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allo…
from 0, < 2.5.1-1
—The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of o…
from 0, < 2.3.3-1
—WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive information via an invalid p parameter in an rss2 action to the defau…
from 0
—Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or…
from 0, < 2.0.10-1
—Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remo…
from 0, < 2.1.0-1
—Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a ..
from 0, < 2.3.3-1
—WordPress 2.0.11 and earlier allows remote attackers to obtain sensitive information via an empty value of the page parameter to certain PH…
from 0, < 2.1.0-1
—Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delet…
from 0, < 2.1.0-1
—SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL comman…
from 0, < 2.3.2-1
—Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web sc…
from 0, < 2.3.1-1
—Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML…
from 0, < 2.0.2-1
—Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web scri…
from 0, < 2.0.4-1
—Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to exec…
from 0, < 2.2.3-1
—wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_…
from 0, < 2.2.3-1
—Cross-site scripting (XSS) vulnerability in index.php in the WordPress Classic 1.5 theme in WordPress before 2.1.3 allows remote attackers…
from 0, < 2.1.3-1
—Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web sc…
from 0, < 2.2.2-1
—SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands…
from 0, < 2.2.2-1
—WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1)…
from 0, < 2.2.2-1
—Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authentica…
from 0, < 2.2.2-1
—Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload…
from 0, < 2.2.1-1
—Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators…
from 0, < 2.2.2-1
—SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parame…
from 0, < 2.2.1-1
—wordpress - multiple vulnerabilities
from 0, < 2.2-1
—wordpress - multiple vulnerabilities
from 0, < 2.0.10-1etch1
—Unspecified vulnerability in akismet.php in Matt Mullenweg Akismet before 2.0.2, a WordPress plugin, has unknown impact and attack vectors.
from 0, < 2.2-1
—Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote a…
from 0, < 2.2.2-1
—Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject…
from 0, < 2.1.3-1
—SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute a…
from 0, < 2.1.3-1
—xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intende…
from 0, < 2.1.3-1
—Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrator…
from 0, < 2.1.3-1
—wordpress
from 0, < 2.0.10-1
—wordpress
from 0, < 2.1.3-1
—wordpress - several vulnerabilities
from 0, < 2.0.10-1etch3
—wordpress - several vulnerabilities
from 0, < 2.2.2-1
—Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privile…
from 0, < 2.1.2-1
—Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to…
from 0, < 2.1.2-1
—wordpress - cross-site scripting
from 0, < 2.1.1-1
—wordpress - cross-site scripting
from 0, < 2.0.9-1
—WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback…
from 0, < 2.1.0-1
—wordpress - several vulnerabilities
from 0, < 2.1.0-1
—The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption)…
from 0, < 2.1.0-1
—wordpress - several vulnerabilities
from 0, < 2.0.10-1etch2
—wordpress - multiple vulnerabilities
from 0, < 2.0.8-1
—wordpress - multiple vulnerabilities
from 0, < 2.0.8-1
—wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a v…
from 0, < 2.1.0-1
—wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obt…
from 0, < 2.0.6-1
—Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrar…
from 0, < 2.0.6-1
—WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remot…
from 0, < 2.0.6-1
—Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web scrip…
from 0, < 2.0.6-1
—Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read…
from 0, < 2.0.5-0.1
—WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensitive information via a direct request for (1) 404.php, (2) akismet.php…
from 0, < 2.0.5-0.1
—Directory traversal vulnerability in wp-db-backup.php in Skippy WP-DB-Backup plugin for WordPress 1.7 and earlier allows remote authenticat…
from 0, < 2.0.5-0.1
—Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors.
from 0, < 2.0.4-1
—WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-…
from 0, < 2.0.4-1
—index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged para…
from 0, < 2.0.4-1
—vars.php in WordPress 2.0.2, possibly when running on Mac OS X, allows remote attackers to spoof their IP address via a PC_REMOTE_ADDR HTTP…
from 0, < 2.0.3-1
—Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by insertin…
from 0, < 2.0.3-1
—Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly…
from 0, < 2.0.1
—Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web…
from 0, < 2.0.2-1
—SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL co…
from 0, < 2.0.1-1
—WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) te…
from 0, < 2.0.2-1
—Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attacke…
from 0, < 2.0.2-1
—Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable a…
from 0
—Directory traversal vulnerability in tiny_mce_gzip.php in TinyMCE Compressor PHP before 1.06 allows remote attackers to read or include arb…
from 0, < 2.5.1-3
—WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-con…
from 0, < 1.5.2-1
—Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_la…
from 0, < 1.5.2-1
—wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via th…
from 0, < 1.5.1.3-1
—Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary…
from 0, < 1.5.1.3-1
—WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1"…
from 0, < 1.5.1.3-1
—SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via…
from 0, < 1.5.1.3-1
—SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands…
from 0, < 1.5.1.2-1
—SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via…
from 0, < 1.5.1-1
—CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify…
from 0, < 1.2.1-1.1
—Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the…
from 0, < 1.2.2-1.1