Total
573 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2011-3861 | 2 Webminimalist, Wordpress | 2 Web Minimalist 200901, Wordpress | 2024-02-14 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Web Minimalist 200901 theme before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. | |||||
CVE-2011-4342 | 2 Backwpup, Wordpress | 2 Backwpup, Wordpress | 2024-02-14 | 7.5 HIGH | N/A |
PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter. | |||||
CVE-2011-3856 | 2 Atastypixel, Wordpress | 2 Elegant Grunge, Wordpress | 2024-02-14 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Elegant Grunge theme before 1.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. | |||||
CVE-2011-3857 | 2 Antisocialmediallc, Wordpress | 2 Antisnews, Wordpress | 2024-02-14 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Antisnews theme before 1.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. | |||||
CVE-2011-3851 | 2 Devpress, Wordpress | 2 News, Wordpress | 2024-02-14 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the News theme before 0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. | |||||
CVE-2011-3862 | 2 Adazing, Wordpress | 2 Morning Coffee, Wordpress | 2024-02-14 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Morning Coffee theme before 3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. | |||||
CVE-2011-3865 | 2 Ulyssesonline, Wordpress | 2 Black-letterhead, Wordpress | 2024-02-14 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Black-LetterHead theme before 1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. | |||||
CVE-2011-3860 | 2 Onedesigns, Wordpress | 2 Cover Wp, Wordpress | 2024-02-14 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Cover WP theme before 1.6.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. | |||||
CVE-2007-6013 | 2 Fedoraproject, Wordpress | 2 Fedora, Wordpress | 2024-02-09 | 6.8 MEDIUM | 9.8 CRITICAL |
Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash. | |||||
CVE-2016-4029 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-02-08 | 5.0 MEDIUM | 8.6 HIGH |
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. | |||||
CVE-2023-5561 | 1 Wordpress | 1 Wordpress | 2024-02-05 | N/A | 5.3 MEDIUM |
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack | |||||
CVE-2023-2745 | 1 Wordpress | 1 Wordpress | 2024-02-04 | N/A | 5.4 MEDIUM |
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. | |||||
CVE-2022-3590 | 1 Wordpress | 1 Wordpress | 2024-02-04 | N/A | 5.9 MEDIUM |
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden. | |||||
CVE-2020-35539 | 1 Wordpress | 1 Wordpress | 2024-02-04 | N/A | N/A |
A flaw was found in Wordpress 5.1. "X-Forwarded-For" is a HTTP header used to carry the client's original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X-Forwarded-For header instead of original IP, various issues may be faced. If the data originating from these fields is trusted by the application developers and processed, any authorization checks originating IP address logging could be manipulated. | |||||
CVE-2011-1762 | 1 Wordpress | 1 Wordpress | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission. | |||||
CVE-2021-39203 | 1 Wordpress | 1 Wordpress | 2024-02-04 | 6.0 MEDIUM | 6.5 MEDIUM |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release. | |||||
CVE-2021-39200 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-02-04 | 4.3 MEDIUM | 5.3 MEDIUM |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. | |||||
CVE-2021-39202 | 1 Wordpress | 1 Wordpress | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8. | |||||
CVE-2022-21661 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. | |||||
CVE-2021-44223 | 1 Wordpress | 1 Wordpress | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory. |