WordpressCVEs & Vulnerabilities

625 CVEs affecting Wordpress products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

wordpress 4,389wordpress mu 73wordspew 39wassup plugin 10page flip image gallery plugin 8wp maintenance mode plugin 8sniplets plugin 6wordpress-users 6
CVE-2011-5181MEDIUMpoc

Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. NOTE: some of these details are obtained from third party information.

20 Sep 2012
4.3
CVSS
CVE-2011-5180MEDIUMpoc

Cross-site scripting (XSS) vulnerability in wp-1pluginjquery.php in the ZooEffect plugin 1.01 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: some of these details are obtained from third party information. NOTE: this has been disputed by a third party.

20 Sep 2012
4.3
CVSS
CVE-2011-5179MEDIUMpoc

Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.

20 Sep 2012
4.3
CVSS
CVE-2012-4422LOW

wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role.

14 Sep 2012
3.5
CVSS
CVE-2012-4421MEDIUM

The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.

14 Sep 2012
4.0
CVSS
CVE-2010-5106MEDIUM

The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role.

14 Sep 2012
6.5
CVSS
CVE-2012-4874CRITICAL

Unspecified vulnerability in the Another WordPress Classifieds Plugin before 2.0 for WordPress has unknown impact and attack vectors related to "image uploads."

7 Sep 2012
10.0
CVSS
CVE-2012-2109HIGHpoc

SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter action.

4 Sep 2012
7.5
CVSS
CVE-2011-5128MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize plugin before 1.7.22 for WordPress allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, or (3) inc-options/im_export_options.php, or the (4) post or (5) post_ID parameters to adminimize.php, different vectors than CVE-2011-4926.

29 Aug 2012
4.3
CVSS
CVE-2011-4926MEDIUMpoc

Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.

29 Aug 2012
4.3
CVSS
CVE-2011-5107MEDIUMpoc

Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.

23 Aug 2012
4.3
CVSS
CVE-2011-5106MEDIUMpoc

Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.

23 Aug 2012
4.3
CVSS
CVE-2011-5104MEDIUM

Cross-site scripting (XSS) vulnerability in wpsc-admin/display-sales-logs.php in WP e-Commerce plugin 3.8.7.1 and possibly earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the custom_text parameter. NOTE: some of these details are obtained from third party information.

23 Aug 2012
4.3
CVSS
CVE-2012-3434MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in userperspan.php in the Count Per Day module before 3.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) datemin, or (3) datemax parameter.

16 Aug 2012
4.3
CVSS
CVE-2012-4332MEDIUM

The ShareYourCart plugin 1.7.1 for WordPress allows remote attackers to obtain the installation path via unspecified vectors related to the SDK.

15 Aug 2012
5.0
CVSS
CVE-2012-4327HIGH

Unspecified vulnerability in the Image News slider plugin before 3.3 for WordPress has unspecified impact and remote attack vectors.

15 Aug 2012
7.5
CVSS
CVE-2012-1835MEDIUMpoc

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

15 Aug 2012
4.3
CVSS
CVE-2012-4283MEDIUM

Cross-site scripting (XSS) vulnerability in the Login With Ajax plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter.

14 Aug 2012
4.3
CVSS
CVE-2012-4273MEDIUM

Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter.

14 Aug 2012
4.3
CVSS
CVE-2012-4272MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "processing of the buttons of Xing and Pinterest".

14 Aug 2012
4.3
CVSS
CVE-2012-4271MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wordpress-admin.php in the Bad Behavior plugin before 2.0.47 and 2.2.x before 2.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) httpbl_key, (3) httpbl_maxage, (4) httpbl_threat, (5) reverse_proxy_addresses, or (6) reverse_proxy_header parameter.

14 Aug 2012
4.3
CVSS
CVE-2012-4268MEDIUM

Cross-site scripting (XSS) vulnerability in bulletproof-security/admin/options.php in the BulletProof Security plugin before .47.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_ACCEPT_ENCODING header.

14 Aug 2012
4.3
CVSS
CVE-2012-4264MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "server variables," a different vulnerability than CVE-2012-4263.

14 Aug 2012
4.3
CVSS
CVE-2012-4263MEDIUM

Cross-site scripting (XSS) vulnerability in inc/admin/content.php in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_USER_AGENT header.

14 Aug 2012
4.3
CVSS
CVE-2012-2371MEDIUMpoc

Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter.

13 Aug 2012
4.3
CVSS
CVE-2012-3385MEDIUM

WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors.

22 Jul 2012
5.0
CVSS
CVE-2012-3384MEDIUM

Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

22 Jul 2012
6.8
CVSS
CVE-2012-3383LOW

The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text.

22 Jul 2012
2.6
CVSS
CVE-2012-4033CRITICAL

Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors.

18 Jul 2012
10.0
CVSS
CVE-2012-3814HIGHpoc

Unrestricted file upload vulnerability in font-upload.php in the Font Uploader plugin 1.2.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file with a .php.ttf extension, then accessing it via a direct request to the file in font-uploader/fonts.

28 Jun 2012
7.5
CVSS
CVE-2011-4957MEDIUM

The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.

28 Jun 2012
5.0
CVSS
CVE-2011-4956MEDIUM

Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

28 Jun 2012
4.3
CVSS
CVE-2012-3588MEDIUMpoc

Directory traversal vulnerability in preview.php in the Plugin Newsletter plugin 1.5 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the data parameter.

19 Jun 2012
5.0
CVSS
CVE-2012-3578MEDIUMpoc

Unrestricted file upload vulnerability in html/Upload.php in the FCChat Widget plugin 2.2.13.1 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with a file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in html/images.

17 Jun 2012
6.8
CVSS
CVE-2012-3577HIGHpoc

Unrestricted file upload vulnerability in doupload.php in the Nmedia Member Conversation plugin before 1.4 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/user_uploads.

17 Jun 2012
7.5
CVSS
CVE-2012-3576CRITICALpoc

Unrestricted file upload vulnerability in php/upload.php in the wpStoreCart plugin before 2.5.30 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/wpstorecart.

16 Jun 2012
10.0
CVSS
CVE-2012-3575CRITICALpoc

Unrestricted file upload vulnerability in uploader.php in the RBX Gallery plugin 2.1 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/rbxslider.

16 Jun 2012
10.0
CVSS
CVE-2012-3574HIGHpoc

Unrestricted file upload vulnerability in includes/doajaxfileupload.php in the MM Forms Community plugin 2.2.5 and 2.2.6 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/temp.

16 Jun 2012
7.5
CVSS
CVE-2012-2633MEDIUM

Cross-site scripting (XSS) vulnerability in wassup.php in the WassUp plugin before 1.8.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.

15 Jun 2012
4.3
CVSS
CVE-2012-2759MEDIUM

Cross-site scripting (XSS) vulnerability in login-with-ajax.php in the Login With Ajax (aka login-with-ajax) plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter in a lostpassword action to wp-login.php.

22 May 2012
4.3
CVSS
CVE-2012-2920MEDIUM

Cross-site scripting (XSS) vulnerability in the userphoto_options_page function in user-photo.php in the User Photo plugin before 0.9.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information.

22 May 2012
4.3
CVSS
CVE-2012-2917MEDIUMpoc

Cross-site scripting (XSS) vulnerability in the Share and Follow plugin 1.80.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the CDN API Key (cnd-key) in a share-and-follow-menu page to wp-admin/admin.php.

21 May 2012
4.3
CVSS
CVE-2012-2916MEDIUM

Cross-site scripting (XSS) vulnerability in sabre_class_admin.php in the SABRE plugin before 2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the active_option parameter to wp-admin/tools.php.

21 May 2012
4.3
CVSS
CVE-2012-2913MEDIUMpoc

Multiple cross-site scripting (XSS) vulnerabilities in the Leaflet plugin 0.0.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) leaflet_layer.php or (2) leaflet_marker.php, as reachable through wp-admin/admin.php.

21 May 2012
4.3
CVSS
CVE-2012-2912MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the LeagueManager plugin 3.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter in the show-league page or (2) season parameter in the team page to wp-admin/admin.php.

21 May 2012
4.3
CVSS
CVE-2012-1936MEDIUMpoc

The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations

3 May 2012
6.8
CVSS
CVE-2012-2404MEDIUM

wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

22 Apr 2012
4.3
CVSS
CVE-2012-2403MEDIUM

wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

22 Apr 2012
4.3
CVSS
← PrevPage 8 / 14Next →