Filtered by vendor Wordpress Subscriptions
Filtered by product Wordpress Subscriptions
Total 578 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2013-2703 2 Crunchify, Wordpress 2 Facebook Members, Wordpress 2024-09-17 N/A
Cross-site request forgery (CSRF) vulnerability in the Facebook Members plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.
CVE-2010-5297 1 Wordpress 1 Wordpress 2024-09-17 N/A
WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.
CVE-2013-2742 2 Ithemes, Wordpress 2 Backupbuddy, Wordpress 2024-09-17 N/A
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not reliably delete itself after completing a restore operation, which makes it easier for remote attackers to obtain access via subsequent requests to this script.
CVE-2006-6017 1 Wordpress 1 Wordpress 2024-09-17 N/A
WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote authenticated users to cause a denial of service (application crash) via a string that represents a (1) malformed or (2) large serialized object, because the object triggers automatic unserialization for display.
CVE-2011-3865 2 Ulyssesonline, Wordpress 2 Black-letterhead, Wordpress 2024-09-17 N/A
Cross-site scripting (XSS) vulnerability in the Black-LetterHead theme before 1.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php.
CVE-2011-3853 2 Themehybrid, Wordpress 2 Hybrid, Wordpress 2024-09-17 N/A
Cross-site scripting (XSS) vulnerability in the Hybrid theme before 0.10 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
CVE-2005-2612 1 Wordpress 1 Wordpress 2024-09-17 N/A
Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.
CVE-2012-6707 1 Wordpress 1 Wordpress 2024-09-17 N/A
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2012-6635 1 Wordpress 1 Wordpress 2024-09-17 N/A
wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft.
CVE-2012-5469 2 Phpmyadmin, Wordpress 2 Phpmyadmin, Wordpress 2024-09-17 N/A
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod.
CVE-2006-6016 1 Wordpress 1 Wordpress 2024-09-17 N/A
wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter.
CVE-2011-3864 2 Somadesign, Wordpress 2 The Erudite, Wordpress 2024-09-17 N/A
Cross-site scripting (XSS) vulnerability in the The Erudite theme before 2.7.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter.
CVE-2013-1949 2 Blinkwebeffects, Wordpress 2 Social-media-widget, Wordpress 2024-09-17 N/A
Social Media Widget (social-media-widget) plugin 4.0 for WordPress contains an externally introduced modification (Trojan Horse), which allows remote attackers to force the upload of arbitrary files.
CVE-2013-3479 2 Sharethis, Wordpress 2 Sharethis, Wordpress 2024-09-17 N/A
Cross-site request forgery (CSRF) vulnerability in the ShareThis plugin before 7.0.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.
CVE-2012-4874 2 Awpcp, Wordpress 2 Another Wordpress Classifieds Plugin, Wordpress 2024-09-17 N/A
Unspecified vulnerability in the Another WordPress Classifieds Plugin before 2.0 for WordPress has unknown impact and attack vectors related to "image uploads."
CVE-2010-5296 1 Wordpress 1 Wordpress 2024-09-17 N/A
wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.
CVE-2012-2371 2 Mnt-tech, Wordpress 2 Wp-facethumb, Wordpress 2024-09-17 N/A
Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter.
CVE-2012-1205 2 Alanft, Wordpress 2 Relocate-upload, Wordpress 2024-09-17 N/A
PHP remote file inclusion vulnerability in relocate-upload.php in Relocate Upload plugin before 0.20 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.
CVE-2009-4169 2 Roytanck, Wordpress 2 Wp-cumulus, Wordpress 2024-09-16 N/A
Cross-site scripting (XSS) vulnerability in wp-cumulus.php in the WP-Cumulus Plug-in before 1.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2010-4839 2 Edgetechweb, Wordpress 2 Event Registration, Wordpress 2024-09-16 N/A
SQL injection vulnerability in the Event Registration plugin 5.32 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the event_id parameter in a register action.