Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
577 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2013-4339 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. | ||||
CVE-2013-4338 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. | ||||
CVE-2013-4340 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. | ||||
CVE-2013-4117 | 2 Anshul Sharma, Wordpress | 2 Category-grid-view-gallery, Wordpress | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. | ||||
CVE-2013-3530 | 2 Fabricio Zuardi, Wordpress | 2 Xspf Player Plugin, Wordpress | 2024-08-06 | N/A |
SQL injection vulnerability in playlist.php in the Spiffy XSPF Player plugin 0.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the playlist_id parameter. | ||||
CVE-2013-3532 | 2 Webdorado, Wordpress | 2 Spider Video Player, Wordpress | 2024-08-06 | N/A |
SQL injection vulnerability in settings.php in the Web Dorado Spider Video Player plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the theme parameter. | ||||
CVE-2013-3526 | 2 Wordpress, Wptrafficanalyzer | 2 Wordpress, Trafficanalyzer | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter. | ||||
CVE-2013-3529 | 2 Smartypantsplugins, Wordpress | 2 Wp-funeral-press, Wordpress | 2024-08-06 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in user/obits.php in the WP FuneralPress plugin before 1.1.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) message, (2) photo-message, or (3) youtube-message parameter. | ||||
CVE-2013-3491 | 2 Mdolon, Wordpress | 2 Sharebar, Wordpress | 2024-08-06 | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Sharebar plugin 1.2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) modify buttons, or (3) insert cross-site scripting (XSS) sequences. | ||||
CVE-2013-3487 | 2 Ait-pro, Wordpress | 2 Bulletproof-security, Wordpress | 2024-08-06 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php. | ||||
CVE-2013-3262 | 2 Mikejolley, Wordpress | 2 Download Monitor, Wordpress | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the p parameter. | ||||
CVE-2013-3256 | 2 Shareaholic, Wordpress | 2 Sexybookmarks, Wordpress | 2024-08-06 | N/A |
Cross-site request forgery (CSRF) vulnerability in the Shareaholic SexyBookmarks plugin 6.1.4.0 for WordPress allows remote attackers to hijack the authentication of users for requests that "manipulate plugin settings." | ||||
CVE-2013-2706 | 2 Rodrigo Polo, Wordpress | 2 Stream Video Player, Wordpress | 2024-08-06 | N/A |
Cross-site request forgery (CSRF) vulnerability in the Stream Video Player plugin 1.4.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. | ||||
CVE-2013-2501 | 2 Terillion, Wordpress | 2 Terillion Reviews Plugin, Wordpress | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in the Terillion Reviews plugin before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ProfileId field. | ||||
CVE-2013-2201 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of media files, (2) editing of media files, (3) installation of plugins, (4) updates to plugins, (5) installation of themes, or (6) updates to themes. | ||||
CVE-2013-2204 | 2 Tinymce, Wordpress | 2 Media, Wordpress | 2024-08-06 | N/A |
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character. | ||||
CVE-2013-2202 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | ||||
CVE-2013-2205 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. | ||||
CVE-2013-2173 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remote attackers to cause a denial of service (CPU consumption) via a crafted value of a certain wp-postpass cookie. | ||||
CVE-2013-2203 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message. |