Vulnerabilities > Wordpress > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2008-12-19 | CVE-2008-5695 | Improper Input Validation vulnerability in Wordpress and Wordpress MU wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins. | 8.5 |
| 2008-10-24 | CVE-2008-4734 | Cross-Site Request Forgery (CSRF) vulnerability in Pressography WP Comment Remix Plugin 1.4 Cross-site request forgery (CSRF) vulnerability in the wpcr_do_options_page function in WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to perform unauthorized actions as administrators via a request that sets the wpcr_hidden_form_input parameter. | 7.5 |
| 2008-10-24 | CVE-2008-4732 | SQL Injection vulnerability in Pressography WP Comment Remix Plugin 1.4 SQL injection vulnerability in ajax_comments.php in the WP Comment Remix plugin before 1.4.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the p parameter. | 7.5 |
| 2008-10-21 | CVE-2008-4625 | SQL Injection vulnerability in Shiftthis Shifthis Newsletter SQL injection vulnerability in stnl_iframe.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter, a different vector than CVE-2008-0683. | 7.5 |
| 2008-08-27 | CVE-2008-3747 | Permissions, Privileges, and Access Controls vulnerability in Wordpress The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie. | 7.5 |
| 2008-05-29 | CVE-2008-2510 | SQL Injection vulnerability in Wordpress Upload File Plugin SQL injection vulnerability in wp-uploadfile.php in the Upload File plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the f_id parameter. | 7.5 |
| 2008-05-12 | CVE-2008-2146 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. | 7.5 |
| 2008-04-30 | CVE-2008-2034 | SQL Injection vulnerability in Wordpress Download Monitor Plugin 2.0.6 SQL injection vulnerability in wp-download_monitor/download.php in the Download Monitor 2.0.6 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
| 2008-04-28 | CVE-2008-1930 | Improper Authentication vulnerability in Wordpress 2.5 The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated string, as demonstrated by registering usernames beginning with "admin" to obtain administrator privileges, aka a "cryptographic splicing" issue. | 7.5 |
| 2008-04-27 | CVE-2008-1982 | SQL Injection vulnerability in Wordpress Wpss SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter. | 7.5 |