Vulnerabilities > Wordpress
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2007-01-09 | CVE-2007-0107 | SQL Injection vulnerability in WordPress Charset Decoding WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. network wordpress | 6.8 |
| 2007-01-09 | CVE-2007-0106 | Cross-Site Scripting vulnerability in Wordpress Invalid CSRF Token Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. network wordpress | 6.8 |
| 2006-12-28 | CVE-2006-6808 | HTML Injection vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. network wordpress | 6.8 |
| 2006-11-21 | CVE-2006-6017 | Denial-Of-Service vulnerability in WordPress WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote authenticated users to cause a denial of service (application crash) via a string that represents a (1) malformed or (2) large serialized object, because the object triggers automatic unserialization for display. | 4.0 |
| 2006-11-21 | CVE-2006-6016 | Remote Security vulnerability in WordPress wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter. | 4.0 |
| 2006-11-04 | CVE-2006-5705 | Multiple Security vulnerability in WordPress 2.04 Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request. network wordpress | 6.0 |
| 2006-09-13 | CVE-2006-4743 | Information Disclosure vulnerability in WordPress WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain sensitive information via a direct request for (1) 404.php, (2) akismet.php, (3) archive.php, (4) archives.php, (5) attachment.php, (6) blogger.php, (7) comments.php, (8) comments-popup.php, (9) dotclear.php, (10) footer.php, (11) functions.php, (12) header.php, (13) hello.php, (14) wp-content/themes/default/index.php, (15) links.php, (16) livejournal.php, (17) mt.php, (18) page.php, (19) rss.php, (20) searchform.php, (21) search.php, (22) sidebar.php, (23) single.php, (24) textpattern.php, (25) upgrade-functions.php, (26) upgrade-schema.php, or (27) wp-db-backup.php, which reveal the path in various error messages. | 5.0 |
| 2006-08-09 | CVE-2006-4028 | Remote Security vulnerability in WordPress Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors. | 10.0 |
| 2006-07-06 | CVE-2006-3390 | SQL Injection vulnerability in Wordpress 2.0.3 WordPress 2.0.3 allows remote attackers to obtain the installation path via a direct request to various files, such as those in the (1) wp-admin, (2) wp-content, and (3) wp-includes directories, possibly due to uninitialized variables. | 5.0 |
| 2006-07-06 | CVE-2006-3389 | SQL Injection vulnerability in Wordpress 2.0.3 index.php in WordPress 2.0.3 allows remote attackers to obtain sensitive information, such as SQL table prefixes, via an invalid paged parameter, which displays the information in an SQL error message. | 5.0 |