Vulnerabilities > Wordpress > Low
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-09-12 | CVE-2013-5739 | Cross-Site Scripting vulnerability in Wordpress The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. | 3.5 |
| 2013-07-29 | CVE-2013-4944 | Cross-Site Scripting vulnerability in Fusedpress Buddypress-Extended-Frienship-Request 1.0/1.0.1 Cross-site scripting (XSS) vulnerability in the BuddyPress Extended Friendship Request plugin before 1.0.2 for WordPress, when the "Friend Connections" component is enabled, allows remote attackers to inject arbitrary web script or HTML via the friendship_request_message parameter to wp-admin/admin-ajax.php. | 2.6 |
| 2013-07-29 | CVE-2013-4954 | Cross-Site Scripting vulnerability in Genetechsolutions Pie-Register Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Genetech Solutions Pie-Register plugin before 1.31 for WordPress, when "Allow New Registrations to set their own Password" is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) pass1 or (2) pass2 parameter in a register action. | 2.6 |
| 2013-05-31 | CVE-2013-3720 | Cross-Site Scripting vulnerability in Feedweb Cross-site scripting (XSS) vulnerability in widget_remove.php in the Feedweb plugin before 1.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wp_post_id parameter. | 3.5 |
| 2012-12-27 | CVE-2012-5868 | Information Exposure vulnerability in Wordpress 3.4.2 WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack. | 2.6 |
| 2012-10-24 | CVE-2012-5388 | Cross-Site Scripting vulnerability in Videousermanuals White-Label-Cms 1.5 Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387. | 3.5 |
| 2012-10-09 | CVE-2012-5349 | Cross-Site Scripting vulnerability in Wordpress Pay-With-Tweet Multiple cross-site scripting (XSS) vulnerabilities in pay.php in the Pay With Tweet plugin before 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) title, or (3) dl parameter. | 2.6 |
| 2012-10-08 | CVE-2012-5325 | Cross-Site Scripting vulnerability in Cartpauj Shortcode-Redirect 1.0.00/1.0.01 Multiple cross-site scripting (XSS) vulnerabilities in the scr_do_redirect function in scr.php in the Shortcode Redirect plugin 1.0.01 and earlier for WordPress allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (1) url or (2) sec attributes in a redirect tag. | 2.1 |
| 2012-09-23 | CVE-2011-5193 | Cross-Site Scripting vulnerability in PHPace Samswhois 1.1/1.4.2.3 Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194. | 2.6 |
| 2012-09-14 | CVE-2012-4422 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. | 3.5 |