Search Results (14168 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2011-1669 2 Mikoviny, Wordpress 2 Wp Custom Pages, Wordpress 2025-04-11 N/A
Directory traversal vulnerability in wp-download.php in the WP Custom Pages module 0.5.0.1 for WordPress allows remote attackers to read arbitrary files via ..%2F (encoded dot dot) sequences in the url parameter.
CVE-2011-1047 2 Vasthtml, Wordpress 2 Forum Server, Wordpress 2025-04-11 N/A
Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php.
CVE-2011-0760 2 Adminofsystem, Wordpress 2 Wp Related Posts, Wordpress 2025-04-11 N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the (1) wp_relatedposts_title, (2) wp_relatedposts_num, or (3) wp_relatedposts_type parameter.
CVE-2011-0740 2 Pleer, Wordpress 2 Rss Feed Reader, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in magpie/scripts/magpie_slashbox.php in RSS Feed Reader 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the rss_url parameter.
CVE-2011-0701 1 Wordpress 1 Wordpress 2025-04-11 N/A
wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter.
CVE-2011-0700 1 Wordpress 1 Wordpress 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box.
CVE-2010-0673 2 Copperleaf, Wordpress 2 Photolog, Wordpress 2025-04-11 N/A
SQL injection vulnerability in cplphoto.php in the Copperleaf Photolog plugin 0.16, and possibly earlier, for WordPress allows remote attackers to execute arbitrary SQL commands via the postid parameter.
CVE-2011-0641 2 Heart5, Wordpress 2 Statpresscn, Wordpress 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2010-1186 2 Alex Rabe, Wordpress 2 Nextgen Gallery, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the NextGEN Gallery plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the mode parameter.
CVE-2010-5297 1 Wordpress 1 Wordpress 2025-04-11 N/A
WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.
CVE-2010-5296 1 Wordpress 1 Wordpress 2025-04-11 N/A
wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.
CVE-2011-5179 2 Skysa, Wordpress 2 Skysa App Bar Integration Plugin, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.
CVE-2010-5295 1 Wordpress 1 Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action.
CVE-2010-5294 1 Wordpress 1 Wordpress 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt.
CVE-2009-4748 2 Andrew Charlton, Wordpress 2 My Category Order, Wordpress 2025-04-11 N/A
SQL injection vulnerability in mycategoryorder.php in the My Category Order plugin 2.8 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the parentID parameter in an act_OrderCategories action to wp-admin/post-new.php.
CVE-2010-5293 1 Wordpress 1 Wordpress 2025-04-11 N/A
wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match.
CVE-2011-5106 2 Fractalia, Wordpress 2 Flexible Custom Post Type, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
CVE-2011-5104 2 Getshopped, Wordpress 2 Wp E-commerce, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in wpsc-admin/display-sales-logs.php in WP e-Commerce plugin 3.8.7.1 and possibly earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the custom_text parameter. NOTE: some of these details are obtained from third party information.
CVE-2009-4672 2 Grupenet, Wordpress 2 Wp-lytebox, Wordpress 2025-04-11 N/A
Directory traversal vulnerability in main.php in the WP-Lytebox plugin 1.3 for WordPress allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pg parameter.
CVE-2010-4257 1 Wordpress 1 Wordpress 2025-04-11 N/A
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field.