Vulnerabilities > Wordpress > Low

DATE CVE VULNERABILITY TITLE RISK
2013-09-12 CVE-2013-5739 Cross-Site Scripting vulnerability in Wordpress
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.
network
wordpress CWE-79
3.5
2013-07-29 CVE-2013-4944 Cross-Site Scripting vulnerability in Fusedpress Buddypress-Extended-Frienship-Request 1.0/1.0.1
Cross-site scripting (XSS) vulnerability in the BuddyPress Extended Friendship Request plugin before 1.0.2 for WordPress, when the "Friend Connections" component is enabled, allows remote attackers to inject arbitrary web script or HTML via the friendship_request_message parameter to wp-admin/admin-ajax.php.
network
high complexity
fusedpress wordpress CWE-79
2.6
2013-07-29 CVE-2013-4954 Cross-Site Scripting vulnerability in Genetechsolutions Pie-Register
Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Genetech Solutions Pie-Register plugin before 1.31 for WordPress, when "Allow New Registrations to set their own Password" is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) pass1 or (2) pass2 parameter in a register action.
network
high complexity
genetechsolutions wordpress CWE-79
2.6
2013-05-31 CVE-2013-3720 Cross-Site Scripting vulnerability in Feedweb
Cross-site scripting (XSS) vulnerability in widget_remove.php in the Feedweb plugin before 1.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wp_post_id parameter.
3.5
2012-12-27 CVE-2012-5868 Information Exposure vulnerability in Wordpress 3.4.2
WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.
network
high complexity
wordpress CWE-200
2.6
2012-10-24 CVE-2012-5388 Cross-Site Scripting vulnerability in Videousermanuals White-Label-Cms 1.5
Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387.
3.5
2012-10-09 CVE-2012-5349 Cross-Site Scripting vulnerability in Wordpress Pay-With-Tweet
Multiple cross-site scripting (XSS) vulnerabilities in pay.php in the Pay With Tweet plugin before 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) title, or (3) dl parameter.
network
high complexity
wordpress CWE-79
2.6
2012-10-08 CVE-2012-5325 Cross-Site Scripting vulnerability in Cartpauj Shortcode-Redirect 1.0.00/1.0.01
Multiple cross-site scripting (XSS) vulnerabilities in the scr_do_redirect function in scr.php in the Shortcode Redirect plugin 1.0.01 and earlier for WordPress allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (1) url or (2) sec attributes in a redirect tag.
network
high complexity
cartpauj wordpress CWE-79
2.1
2012-09-23 CVE-2011-5193 Cross-Site Scripting vulnerability in PHPace Samswhois 1.1/1.4.2.3
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194.
network
high complexity
wordpress phpace CWE-79
2.6
2012-09-14 CVE-2012-4422 Permissions, Privileges, and Access Controls vulnerability in Wordpress
wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role.
network
wordpress CWE-264
3.5