Wordpress Security Vulnerabilities and Issues — Wordpress CVE List

Lucene search

WordpressWordpress

11 matches found

CVE•added 2011/03/14 7:55 p.m.•85 views

CVE-2011-0700

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) es...

3.5CVSS5.1AI score0.00945EPSS

CVE•added 2011/03/14 7:55 p.m.•76 views

CVE-2011-0701

wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter.

4CVSS5.8AI score0.01012EPSS

Web

CVE•added 2011/08/10 9:55 p.m.•72 views

CVE-2011-3130

wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection.

7.5CVSS7.3AI score0.00494EPSS

CVE•added 2011/08/10 9:55 p.m.•70 views

CVE-2011-3125

Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening."

10CVSS6.3AI score0.0127EPSS

CVE•added 2011/08/10 9:55 p.m.•70 views

CVE-2011-3128

WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php.

5CVSS6.3AI score0.012EPSS

CVE•added 2011/01/03 8:0 p.m.•67 views

CVE-2010-4536

Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not...

4.3CVSS5.5AI score0.03431EPSS

CVE•added 2011/08/10 9:55 p.m.•66 views

CVE-2011-3126

WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects.

5CVSS6.5AI score0.00923EPSS

CVE•added 2011/08/10 9:55 p.m.•64 views

CVE-2011-3127

WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.

5.8CVSS6.3AI score0.00335EPSS

CVE•added 2011/08/10 8:55 p.m.•61 views

CVE-2011-3122

Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security."

10CVSS6.2AI score0.01394EPSS

CVE•added 2011/08/10 9:55 p.m.•58 views

CVE-2011-3129

The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames.

9.3CVSS6.5AI score0.00692EPSS

CVE•added 2011/09/24 12:55 a.m.•46 views

CVE-2011-3818

WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files.

5CVSS6.2AI score0.00452EPSS