Vulnerabilities > Wordpress > Wordpress > 1.0.2.blakey
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2009-07-10 | CVE-2009-2432 | Permissions, Privileges, and Access Controls vulnerability in Wordpress and Wordpress MU WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. | 5.0 |
2009-07-10 | CVE-2009-2334 | Improper Authentication vulnerability in Wordpress and Wordpress MU wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. | 4.9 |
2008-12-19 | CVE-2008-5695 | Improper Input Validation vulnerability in Wordpress and Wordpress MU wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins. | 8.5 |
2008-11-28 | CVE-2008-5278 | Cross-Site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable). | 4.3 |
2008-10-28 | CVE-2008-4769 | Path Traversal vulnerability in Wordpress Directory traversal vulnerability in the get_category_template function in wp-includes/theme.php in WordPress 2.3.3 and earlier, and 2.5, allows remote attackers to include and possibly execute arbitrary PHP files via the cat parameter in index.php. | 9.3 |
2008-09-18 | CVE-2008-4106 | Improper Input Validation vulnerability in Wordpress WordPress before 2.6.2 does not properly handle MySQL warnings about insertion of username strings that exceed the maximum column width of the user_login column, and does not properly handle space characters when comparing usernames, which allows remote attackers to change an arbitrary user's password to a random value by registering a similar username and then requesting a password reset, related to a "SQL column truncation vulnerability." NOTE: the attacker can discover the random password by also exploiting CVE-2008-4107. | 5.1 |