Vulnerabilities > Wordpress > Wordpress > 0.6.2
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-07-10 | CVE-2009-2432 | Permissions, Privileges, and Access Controls vulnerability in Wordpress and Wordpress MU WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. | 5.0 |
| 2009-07-10 | CVE-2009-2334 | Improper Authentication vulnerability in Wordpress and Wordpress MU wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. | 4.9 |
| 2008-12-19 | CVE-2008-5695 | Improper Input Validation vulnerability in Wordpress and Wordpress MU wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins. | 8.5 |
| 2008-11-28 | CVE-2008-5278 | Cross-Site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable). | 4.3 |
| 2008-10-28 | CVE-2008-4769 | Path Traversal vulnerability in Wordpress Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. | 9.3 |
| 2008-08-27 | CVE-2008-3747 | Permissions, Privileges, and Access Controls vulnerability in Wordpress The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie. | 7.5 |
| 2008-07-18 | CVE-2008-3233 | Cross-Site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in WordPress before 2.6, SVN development versions only, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2008-05-12 | CVE-2008-2146 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. | 7.5 |
| 2007-09-14 | CVE-2007-4894 | SQL Injection vulnerability in Wordpress Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other unspecified parameters related to "early database escaping" and missing validation of "query string like parameters." | 7.5 |
| 2007-09-14 | CVE-2007-4893 | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field. | 4.3 |