Search Results (14051 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2010-4825 2 Pleer, Wordpress 2 Wp-twitter-feed, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in magpie_debug.php in the Twitter Feed plugin (wp-twitter-feed) 0.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVE-2012-0895 2 Tom Braider, Wordpress 2 Count Per Day, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in map/map.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map parameter.
CVE-2011-4957 1 Wordpress 1 Wordpress 2025-04-11 N/A
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.
CVE-2009-4748 2 Andrew Charlton, Wordpress 2 My Category Order, Wordpress 2025-04-11 N/A
SQL injection vulnerability in mycategoryorder.php in the My Category Order plugin 2.8 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the parentID parameter in an act_OrderCategories action to wp-admin/post-new.php.
CVE-2011-4956 1 Wordpress 1 Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-2916 2 Dlo, Wordpress 2 Simple Anti Bot Registration Engine Plugin, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in sabre_class_admin.php in the SABRE plugin before 2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the active_option parameter to wp-admin/tools.php.
CVE-2012-2913 2 Mapsmarker, Wordpress 2 Leaflet Maps Marker Plugin, Wordpress 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the Leaflet plugin 0.0.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) leaflet_layer.php or (2) leaflet_marker.php, as reachable through wp-admin/admin.php.
CVE-2011-0701 1 Wordpress 1 Wordpress 2025-04-11 N/A
wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter.
CVE-2011-3130 1 Wordpress 1 Wordpress 2025-04-11 N/A
wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection.
CVE-2012-6635 1 Wordpress 1 Wordpress 2025-04-11 N/A
wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft.
CVE-2012-5868 1 Wordpress 1 Wordpress 2025-04-11 N/A
WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.
CVE-2013-4340 1 Wordpress 1 Wordpress 2025-04-11 N/A
wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter.
CVE-2012-2917 2 Andrew Killen, Wordpress 2 Share And Follow, Wordpress 2025-04-11 N/A
Cross-site scripting (XSS) vulnerability in the Share and Follow plugin 1.80.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the CDN API Key (cnd-key) in a share-and-follow-menu page to wp-admin/admin.php.
CVE-2012-1835 2 Timely, Wordpress 2 All-in-one Event Calendar, Wordpress 2025-04-11 N/A
Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.
CVE-2012-1786 2 Kylegilman, Wordpress 2 Video Embed \& Thumbnail Generator, Wordpress 2025-04-11 N/A
The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors.
CVE-2012-1067 2 Mg12, Wordpress 2 Wp-recentcomments, Wordpress 2025-04-11 N/A
SQL injection vulnerability in the WP-RecentComments plugin 2.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter in an rc-content action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2023-22622 1 Wordpress 1 Wordpress 2025-04-07 5.3 Medium
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.
CVE-2023-39999 2 Fedoraproject, Wordpress 2 Fedora, Wordpress 2025-02-13 4.3 Medium
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.
CVE-2023-38000 1 Wordpress 2 Gutenberg, Wordpress 2024-11-21 6.5 Medium
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.
CVE-2021-44223 1 Wordpress 1 Wordpress 2024-11-21 8.1 High
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.