Export limit exceeded: 12732 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12732 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-5732 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title. | ||||
| CVE-2015-5731 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action. | ||||
| CVE-2015-5730 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated. | ||||
| CVE-2015-5715 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors. | ||||
| CVE-2015-5714 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. | ||||
| CVE-2014-9031 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post. | ||||
| CVE-2015-5623 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-12 | N/A |
| WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php. | ||||
| CVE-2015-5622 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php. | ||||
| CVE-2015-3440 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. | ||||
| CVE-2015-3439 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as. | ||||
| CVE-2011-3130 | 1 Wordpress | 1 Wordpress | 2025-04-11 | N/A |
| wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection. | ||||
| CVE-2013-1464 | 2 Doryphores, Wordpress | 2 Audio Player, Wordpress | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in assets/player.swf in the Audio Player plugin before 2.0.4.6 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the playerID parameter. | ||||
| CVE-2013-0736 | 2 Cartpauj, Wordpress | 2 Mingle-forum, Wordpress | 2025-04-11 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Mingle Forum plugin 1.0.34 and possibly earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) modify user privileges or (2) conduct cross-site scripting (XSS) attacks via unspecified vectors. | ||||
| CVE-2013-0731 | 2 Mailup, Wordpress | 2 Wp-mailup, Wordpress | 2025-04-11 | N/A |
| ajax.functions.php in the MailUp plugin before 1.3.3 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks by setting the wordpress_logged_in cookie. NOTE: this is due to an incomplete fix for a similar issue that was fixed in 1.3.2. | ||||
| CVE-2013-0721 | 2 Wordpress, Wp Php Widget Project | 2 Wordpress, Wp Php Widget | 2025-04-11 | N/A |
| wp-php-widget.php in the WP PHP widget plugin 1.0.2 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. | ||||
| CVE-2011-3861 | 2 Webminimalist, Wordpress | 2 Web Minimalist 200901, Wordpress | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in the Web Minimalist 200901 theme before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. | ||||
| CVE-2011-0641 | 2 Heart5, Wordpress | 2 Statpresscn, Wordpress | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | ||||
| CVE-2011-1047 | 2 Vasthtml, Wordpress | 2 Forum Server, Wordpress | 2025-04-11 | N/A |
| Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php. | ||||
| CVE-2010-5297 | 1 Wordpress | 1 Wordpress | 2025-04-11 | N/A |
| WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. | ||||
| CVE-2013-0237 | 3 Fedoraproject, Moxiecode, Wordpress | 3 Fedora, Plupload, Wordpress | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. | ||||