CVSS: 9.8EPSS: 27%CPEs: 1EXPL: 2CVE-2006-2667 – WordPress Core < 2.0.3 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2006-2667
30 May 2006 — Direct static code injection vulnerability in WordPress 2.0.2 and earlier allows remote attackers to execute arbitrary commands by inserting a carriage return and PHP code when updating a profile, which is appended after a special comment sequence into files in (1) wp-content/cache/userlogins/ (2) wp-content/cache/users/ which are later included by cache.php, as demonstrated using the displayname argument. • https://www.exploit-db.com/exploits/6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 1%CPEs: 2EXPL: 1CVE-2007-5105 – WordPress Core < 2.0.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-5105
10 Mar 2006 — Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en wp-register.php en WordPress 2.0 y 2.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro user_email. • https://www.exploit-db.com/exploits/30602 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 0CVE-2006-1263 – WordPress Core < 2.0.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-1263
10 Mar 2006 — Multiple "unannounced" cross-site scripting (XSS) vulnerabilities in WordPress before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. • http://wordpress.org/development/2006/03/security-202 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 10EXPL: 1CVE-2006-0985 – WordPress Core <= 2.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-0985
03 Mar 2006 — Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters. • http://NeoSecurityTeam.net/advisories/Advisory-17.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 10EXPL: 1CVE-2006-0986 – WordPress Core < 2.0.2 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2006-0986
03 Mar 2006 — WordPress 2.0.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) default-filters.php, (2) template-loader.php, (3) rss-functions.php, (4) locale.php, (5) wp-db.php, and (6) kses.php in the wp-includes/ directory; and (7) edit-form-advanced.php, (8) admin-functions.php, (9) edit-link-form.php, (10) edit-page-form.php, (11) admin-footer.php, and (12) menu.php in the wp-admin directory; and possibly (13) list directory contents of the wp-includes directory. NOTE: ... • http://NeoSecurityTeam.net/advisories/Advisory-17.txt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2006-0733 – WordPress Core 2.0 - Comment Post HTML Injection
https://notcve.org/view.php?id=CVE-2006-0733
16 Feb 2006 — Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE: followup comments to the researcher's web log suggest that this issue is only exploitable by the same user who injects the XSS, so this might not be a vulnerability • https://www.exploit-db.com/exploits/27227 •
CVSS: 6.8EPSS: 0%CPEs: 17EXPL: 0CVE-2006-1796 – WordPress Core < 2.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-1796
31 Jan 2006 — Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI']). • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328909 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2006-1012 – WordPress Core <= 1.5.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2006-1012
31 Dec 2005 — SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment. Vulnerabilidad de inyección de SQL en WordPress 1.5.2, y posiblemente otras versiones anteriores a 2.0, permite a atacantes remotos ejecutar órdenes SQL de su elección mediante el campo "User-Agent" en la cabecera HTTP de un comentario. • http://secunia.com/advisories/19109 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 1%CPEs: 9EXPL: 1CVE-2005-4463 – WordPress Core < 1.5.2 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2005-4463
21 Dec 2005 — WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6) wp-admin/edit-form-comment.php, which leaks the path in an error message related to undefined functions or failed includes. NOTE: the wp-admin/menu-header.php vector is already covered by CVE-2005-2110. NOTE: the vars.php, edit-form.php, wp-settings.php, a... • http://NeoSecurityTeam.net/advisories/Advisory-17.txt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 73%CPEs: 8EXPL: 3CVE-2005-2612 – WordPress Core < 1.5.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2005-2612
09 Aug 2005 — Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie. • https://packetstorm.news/files/id/131000 • CWE-94: Improper Control of Generation of Code ('Code Injection') •