Vulnerabilities > Wordpress > Wordpress > 3.0.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2014-08-18 | CVE-2014-5240 | Cross-Site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. | 2.1 |
2014-08-18 | CVE-2014-5205 | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. | 6.8 |
2014-08-18 | CVE-2014-5204 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. | 6.8 |
2014-04-10 | CVE-2014-0166 | Improper Authentication vulnerability in Wordpress The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. | 6.4 |
2014-04-10 | CVE-2014-0165 | Permissions, Privileges, and Access Controls vulnerability in Wordpress WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. | 4.0 |
2014-01-21 | CVE-2012-6635 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft. | 4.0 |
2014-01-21 | CVE-2012-6634 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value. | 6.4 |
2014-01-21 | CVE-2012-6633 | Cross-Site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field. | 4.3 |
2014-01-21 | CVE-2011-5270 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role. | 4.0 |
2014-01-21 | CVE-2010-5296 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action. | 4.9 |