Export limit exceeded: 12852 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12852 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-4029 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-12 | 8.6 High |
| WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. | ||||
| CVE-2014-0166 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. | ||||
| CVE-2013-2706 | 2 Rodrigo Polo, Wordpress | 2 Stream Video Player, Wordpress | 2025-04-12 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Stream Video Player plugin 1.4.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. | ||||
| CVE-2016-1564 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. | ||||
| CVE-2014-5240 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. | ||||
| CVE-2014-5205 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. | ||||
| CVE-2015-5622 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php. | ||||
| CVE-2016-5833 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. | ||||
| CVE-2016-5837 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. | ||||
| CVE-2014-2316 | 2 Wordpress, Zemanta | 2 Wordpress, Search Everything | 2025-04-12 | N/A |
| SQL injection vulnerability in se_search_default in the Search Everything plugin before 7.0.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the s parameter to index.php. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2016-7169 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. | ||||
| CVE-2014-9031 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post. | ||||
| CVE-2014-4600 | 2 Wordpress, Wp Ultimate Email Marketer Project | 2 Wordpress, Wp Ultimate Email Marketer | 2025-04-12 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in contact/edit.php in the WP Ultimate Email Marketer plugin 1.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) listname or (2) contact parameter. | ||||
| CVE-2014-4603 | 2 Wordpress, Yahoo\! Updates For Wordpress Plugin Project | 2 Wordpress, Yahoo\! Updates For Wordpress Plugin | 2025-04-12 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in yupdates_application.php in the Yahoo! Updates for WordPress plugin 1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) secret, (2) key, or (3) appid parameter. | ||||
| CVE-2015-8834 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440. | ||||
| CVE-2014-4529 | 2 Flash Photo Gallery Project, Wordpress | 2 Flash Photo Gallery, Wordpress | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in fpg_preview.php in the Flash Photo Gallery plugin 0.7 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the path parameter. | ||||
| CVE-2014-5265 | 3 Debian, Drupal, Wordpress | 3 Debian Linux, Drupal, Wordpress | 2025-04-12 | N/A |
| The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | ||||
| CVE-2014-5203 | 1 Wordpress | 1 Wordpress | 2025-04-12 | N/A |
| wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data. | ||||
| CVE-2014-3845 | 2 Tinymce, Wordpress | 2 Color Picker, Wordpress | 2025-04-12 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. NOTE: some of these details are obtained from third party information. | ||||
| CVE-2014-5266 | 3 Debian, Drupal, Wordpress | 3 Debian Linux, Drupal, Wordpress | 2025-04-12 | N/A |
| The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. | ||||