Vulnerabilities > Wordpress > Wordpress > 2.0.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2007-01-09 | CVE-2007-0107 | SQL Injection vulnerability in WordPress Charset Decoding WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. network wordpress | 6.8 |
2007-01-09 | CVE-2007-0106 | Cross-Site Scripting vulnerability in Wordpress Invalid CSRF Token Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. network wordpress | 6.8 |
2006-12-28 | CVE-2006-6808 | HTML Injection vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in wp-admin/templates.php in WordPress 2.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. network wordpress | 6.8 |
2006-11-21 | CVE-2006-6017 | Denial-Of-Service vulnerability in WordPress WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote authenticated users to cause a denial of service (application crash) via a string that represents a (1) malformed or (2) large serialized object, because the object triggers automatic unserialization for display. | 4.0 |
2006-11-21 | CVE-2006-6016 | Remote Security vulnerability in WordPress wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter. | 4.0 |
2006-11-04 | CVE-2006-5705 | Multiple Security vulnerability in WordPress 2.04 Multiple directory traversal vulnerabilities in plugins/wp-db-backup.php in WordPress before 2.0.5 allow remote authenticated users to read or overwrite arbitrary files via directory traversal sequences in the (1) backup and (2) fragment parameters in a GET request. network wordpress | 6.0 |
2006-08-09 | CVE-2006-4028 | Remote Security vulnerability in WordPress Multiple unspecified vulnerabilities in WordPress before 2.0.4 have unknown impact and remote attack vectors. | 10.0 |
2006-05-30 | CVE-2006-2667 | Remote PHP Code Injection vulnerability in WordPress Username Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument. | 7.5 |
2006-03-19 | CVE-2006-1263 | Cross-Site Scripting vulnerability in WordPress Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. network wordpress | 4.3 |
2006-03-03 | CVE-2006-0986 | Information Disclosure vulnerability in WordPress WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7) edit-form-advanced.php, (8) admin-functions.php, (9) edit-link-form.php, (10) edit-page-form.php, (11) admin-footer.php, and (12) menu.php in the wp-admin directory; and possibly (13) list directory contents of the wp-includes directory. | 5.0 |