Vulnerabilities > Wordpress > Wordpress > 3.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-01-21 | CVE-2010-5296 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action. | 4.9 |
| 2014-01-21 | CVE-2010-5295 | Cross-Site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action. | 4.3 |
| 2014-01-21 | CVE-2010-5294 | Cross-Site Scripting vulnerability in Wordpress Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt. | 4.3 |
| 2014-01-21 | CVE-2010-5293 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. | 5.8 |
| 2013-09-12 | CVE-2013-5739 | Cross-Site Scripting vulnerability in Wordpress The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. | 3.5 |
| 2013-09-12 | CVE-2013-5738 | Improper Input Validation vulnerability in Wordpress The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. | 4.3 |
| 2013-09-12 | CVE-2013-4340 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. | 3.5 |
| 2013-09-12 | CVE-2013-4339 | Improper Input Validation vulnerability in Wordpress WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. | 7.5 |
| 2013-09-12 | CVE-2013-4338 | Code Injection vulnerability in Wordpress wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. | 7.5 |
| 2013-07-19 | CVE-2012-3414 | Cross-Site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. | 4.3 |