Vulnerabilities > Wordpress > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2008-01-10 | CVE-2008-0222 | Code Injection vulnerability in Wordpress Filemanager 1.2 Unrestricted file upload vulnerability in ajaxfilemanager.php in the Wp-FileManager 1.2 plugin for WordPress allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors. | 7.5 |
| 2008-01-10 | CVE-2008-0194 | Path Traversal vulnerability in Wordpress Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. | 7.5 |
| 2007-09-14 | CVE-2007-4894 | SQL Injection vulnerability in Wordpress Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other unspecified parameters related to "early database escaping" and missing validation of "query string like parameters." | 7.5 |
| 2007-05-22 | CVE-2007-2821 | SQL Injection vulnerability in Wordpress Admin-Ajax.PHP SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. | 7.5 |
| 2007-03-05 | CVE-2007-1277 | Improper Input Validation vulnerability in Wordpress 2.1.1 WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php. | 7.5 |
| 2007-01-29 | CVE-2007-0539 | Denial-Of-Service vulnerability in WordPress The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout constraint. | 7.8 |
| 2007-01-16 | CVE-2007-0262 | Information Disclosure vulnerability in Wordpress 2.0.6/2.1 WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix. | 7.8 |
| 2007-01-13 | CVE-2007-0233 | SQL Injection vulnerability in WordPress Wp-trackback.PHP wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. | 7.5 |
| 2006-05-30 | CVE-2006-2667 | Remote PHP Code Injection vulnerability in WordPress Username Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument. | 7.5 |
| 2006-03-06 | CVE-2006-1012 | SQL Injection vulnerability in Wordpress 1.5.2 SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment. | 7.5 |