Vulnerabilities > Wordpress > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-05-10 | CVE-2013-3530 | SQL Injection vulnerability in Fabricio Zuardi Xspf Player Plugin 0.1 SQL injection vulnerability in playlist.php in the Spiffy XSPF Player plugin 0.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the playlist_id parameter. | 7.5 |
| 2013-04-02 | CVE-2013-2743 | Improper Authentication vulnerability in Ithemes Backupbuddy importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress allows remote attackers to bypass authentication via a crafted integer in the step parameter. | 7.5 |
| 2013-04-02 | CVE-2013-2742 | Information Disclosure vulnerability in BackupBuddy 'importbuddy.php' importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not reliably delete itself after completing a restore operation, which makes it easier for remote attackers to obtain access via subsequent requests to this script. | 7.5 |
| 2013-04-02 | CVE-2013-2741 | Improper Authentication vulnerability in Ithemes Backupbuddy importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not require that authentication be enabled, which allows remote attackers to obtain sensitive information, or overwrite or delete files, via vectors involving a (1) direct request, (2) step=1 request, (3) step=2 or step=3 request, or (4) step=7 request. | 7.5 |
| 2012-12-20 | CVE-2012-5469 | Permissions, Privileges, and Access Controls vulnerability in PHPmyadmin The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. | 7.5 |
| 2012-10-25 | CVE-2011-5216 | SQL Injection vulnerability in multiple products SQL injection vulnerability in ajax.php in SCORM Cloud For WordPress plugin before 1.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the active parameter. | 7.5 |
| 2012-10-08 | CVE-2012-5310 | SQL Injection vulnerability in Getshopped WP E-Commerce SQL injection vulnerability in the WP e-Commerce plugin before 3.8.7.6 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
| 2012-09-04 | CVE-2012-2109 | SQL Injection vulnerability in Buddypress SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter action. | 7.5 |
| 2012-08-14 | CVE-2012-4327 | Multiple Unspecified vulnerability in Wpslideshow Image News Slider 3.0/3.1/3.2 Unspecified vulnerability in the Image News slider plugin before 3.3 for WordPress has unspecified impact and remote attack vectors. | 7.5 |
| 2012-06-27 | CVE-2012-3814 | Permissions, Privileges, and Access Controls vulnerability in Pippin Williamson Font Uploader 1.2.4 Unrestricted file upload vulnerability in font-upload.php in the Font Uploader plugin 1.2.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file with a .php.ttf extension, then accessing it via a direct request to the file in font-uploader/fonts. | 7.5 |