Filtered by vendor Wordpress Subscriptions
Total 13785 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2007-3240 1 Wordpress 1 Wordpress 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an administrative session.
CVE-2007-3543 1 Wordpress 2 Wordpress, Wordpress Mu 2026-04-23 N/A
Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php.
CVE-2007-4544 1 Wordpress 1 Wordpress Mu 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Username field).
CVE-2008-7175 2 Alex Rabe, Wordpress 2 Nextgen Gallery, Wordpress 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in NextGEN Gallery 0.96 and earlier plugin for Wordpress allows remote attackers to inject arbitrary web script or HTML via the picture description field in a page edit action.
CVE-2008-0507 1 Wordpress 1 Adserve 2026-04-23 N/A
SQL injection vulnerability in adclick.php in the AdServe 0.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-2432 1 Wordpress 2 Wordpress, Wordpress Mu 2026-04-23 N/A
WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message.
CVE-2008-0520 1 Wordpress 1 Wassup Plugin 2026-04-23 N/A
Multiple SQL injection vulnerabilities in main.php in the WassUp plugin 1.4 through 1.4.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) from_date or (2) to_date parameter to spy.php.
CVE-2007-4480 1 Wordpress 1 Sirius 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in index.php in the Sirius 1.0 theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF).
CVE-2009-2383 2 Blogtrafficexchange, Wordpress 2 Related-sites, Wordpress 2026-04-23 N/A
SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter.
CVE-2008-0682 1 Wordpress 1 Wordspew 2026-04-23 N/A
SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin before 3.72 for Wordpress allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2009-2336 1 Wordpress 2 Wordpress, Wordpress Mu 2026-04-23 N/A
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
CVE-2008-0683 1 Wordpress 1 St Newsletter Plugin 2026-04-23 N/A
SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter.
CVE-2008-0206 1 Wordpress 1 Captcha 2026-04-23 N/A
Multiple cross-site scripting (XSS) vulnerabilities in captcha\captcha.php in the Captcha! 2.5d and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) captcha_ttffolder, (2) captcha_numchars, (3) captcha_ttfrange, or (4) captcha_secret parameter.
CVE-2006-5705 1 Wordpress 1 Wordpress 2026-04-23 N/A
Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request.
CVE-2007-5106 1 Wordpress 1 Wordpress 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter.
CVE-2007-1894 1 Wordpress 1 Wordpress 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function.
CVE-2007-2627 1 Wordpress 1 Wordpress 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF), a different vulnerability than CVE-2007-1622.
CVE-2008-2510 1 Wordpress 1 Upload File Plugin 2026-04-23 N/A
SQL injection vulnerability in wp-uploadfile.php in the Upload File plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the f_id parameter.
CVE-2009-4168 2 Roytanck, Wordpress 2 Wp-cumulus, Wordpress 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in Roy Tanck tagcloud.swf, as used in the WP-Cumulus plugin before 1.23 for WordPress and the Joomulus module 2.0 and earlier for Joomla!, allows remote attackers to inject arbitrary web script or HTML via the tagcloud parameter in a tags action. Cross-site scripting (XSS) vulnerability in tagcloud.swf in the WP-Cumulus Plug-in before 1.23 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tagcloud parameter.
CVE-2007-4893 1 Wordpress 1 Wordpress 2026-04-23 N/A
wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field.