CVE-2014-4163

Multiple cross-site request forgery CSRF vulnerabilities in the Featured Comments plugin 1.2.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that change the 1 buried or 2 featured status of a comment via a request to wp-admin/admin-ajax.php...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 scope parameter to index.php; 2 username, 3 dbemphone, 4 useremail, or 5...

CVE-2014-0165

WordPress core versions affected are 3.7.1 and 3.8.x before 3.8.2, with remote privilege escalation allowing an authenticated user with the Contributor role to publish posts via wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. The issue is mitigated by upgrading to ...

Cross site scripting

Cross-site scripting XSS vulnerability in the cmstpvadminhead function in functions.php in the CMS Tree Page View plugin before 0.8.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cmstpvview parameter to wp-admin/options-general.php...

CVE-2013-1758

CVE-2013-1758 affects the Marekkis Watermark WordPress plugin (version 0.9.2) and enables cross-site scripting via the pfad parameter to wp-admin/options-general.php. The flaw is a reflective XSS in the admin path, allowing remote attackers to inject arbitrary script/HTML. Public sources consiste...

CVE-2012-6635

wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft...

Information disclosure

wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft...

CVE-2012-6635

wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft...

CVE-2010-5295

Cross-site scripting XSS vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action...

WordPress <= 3.0.1 - XSS

Because of this vulnerability in wp-admin/plugins.php, the attackers can inject arbitrary web script or HTML. Solution Update WordPress...

CVE-2012-6624

The CVE concerns the SoundCloud Is Gold WordPress plugin (v2.1) where a Cross-Site Scripting (XSS) flaw exists in the width parameter of the soundcloud_is_gold_player_preview action to wp-admin/admin-ajax.php. This allows remote attackers to inject arbitrary script/HTML in the context of affected...

CVE-2013-6992

Cross-site request forgery CSRF vulnerability in askapache-firefox-adsense.php in the AskApache Firefox Adsense plugin 3.0 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting XSS attacks via the aafireadco...

CVE-2013-7233

Cross-site request forgery CSRF vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list...

CVE-2013-7233

Cross-site request forgery CSRF vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list...

WordPress Ad-Minister Plugin <= 0.6 - XSS

Because of this vulnerability, the attackers can inject arbitrary web script or HTML via the "key" parameter in a delete action to wp-admin/tools.php. Solution Update the plugin...

CVE-2013-6797

CVE-2013-6797 is a CSRF vulnerability in the WordPress plugin Blue Wrench Video Widget (bluewrench-video-widget.php) prior to version 2.0.0 . The issue allows remote attackers to hijack an administrator’s session by crafting requests that embed arbitrary URLs via the bw_url parameter on the bw-vi...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in Cart66Product.php in the Cart66 Lite plugin before 1.5.1.15 for WordPress allows remote attackers to hijack the authentication of administrators for requests that 1 create or modify products or conduct cross-site scripting XSS attacks via the 2...

Cross site scripting

Cross-site scripting XSS vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php...

CVE-2013-5673

SQL injection vulnerability in testimonial.php in the IndiaNIC Testimonial plugin 2.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the customquery parameter in a testimonialadd action to wp-admin/admin-ajax.php...

CVE-2013-3254

Cross-site scripting XSS vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the commentid parameter in a wppamanagecomments edit action...