Vulnerabilities > Wordpress > Wordpress > 2.6.3
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2009-08-18 | CVE-2009-2853 | Permissions, Privileges, and Access Controls vulnerability in Wordpress Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/. | 10.0 |
2009-08-18 | CVE-2009-2851 | Cross-Site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL. | 4.3 |
2009-08-13 | CVE-2009-2762 | Credentials Management vulnerability in Wordpress wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. | 7.5 |
2009-07-10 | CVE-2009-2432 | Permissions, Privileges, and Access Controls vulnerability in Wordpress and Wordpress MU WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. | 5.0 |
2009-07-10 | CVE-2009-2336 | Configuration vulnerability in Wordpress and Wordpress MU The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. | 5.0 |
2009-07-10 | CVE-2009-2335 | Configuration vulnerability in Wordpress and Wordpress MU WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. | 5.0 |
2009-07-10 | CVE-2009-2334 | Improper Authentication vulnerability in Wordpress and Wordpress MU wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. | 4.9 |
2008-11-28 | CVE-2008-5278 | Cross-Site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in the self_link function in in the RSS Feed Generator (wp-includes/feed.php) for WordPress before 2.6.5 allows remote attackers to inject arbitrary web script or HTML via the Host header (HTTP_HOST variable). | 4.3 |
2008-11-17 | CVE-2008-5113 | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress 2.6.3 WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). | 4.0 |