Vulnerabilities > Wordpress > Wordpress > 3.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2012-04-21 | CVE-2012-2401 | Permissions, Privileges, and Access Controls vulnerability in multiple products Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. | 5.0 |
| 2012-04-21 | CVE-2012-2400 | Remote vulnerability in WordPress Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors. | 10.0 |
| 2012-04-21 | CVE-2012-2399 | Remote vulnerability in WordPress Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414. | 10.0 |
| 2011-03-14 | CVE-2011-0701 | Information Exposure vulnerability in Wordpress wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. | 4.0 |
| 2011-03-14 | CVE-2011-0700 | Cross-Site Scripting vulnerability in Wordpress Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. | 3.5 |
| 2011-01-03 | CVE-2010-4536 | Cross-Site Scripting vulnerability in Wordpress Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form. | 4.3 |
| 2010-12-07 | CVE-2010-4257 | SQL Injection vulnerability in Wordpress SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. | 6.0 |