Page 52 of 272 results (0.007 seconds)

CVSS: 2.6EPSS: 0%CPEs: 1EXPL: 3

Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE: followup comments to the researcher's web log suggest that this issue is only exploitable by the same user who injects the XSS, so this might not be a vulnerability • https://www.exploit-db.com/exploits/27227 http://myimei.com/security/2006-02-15/wordpress200autors-websitexss-attack.html http://www.securityfocus.com/archive/1/425043/100/0/threaded http://www.securityfocus.com/bid/16656 https://exchange.xforce.ibmcloud.com/vulnerabilities/24736 •

CVSS: 6.8EPSS: 0%CPEs: 17EXPL: 0

Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI']). • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328909 http://trac.wordpress.org/ticket/1686 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

SQL injection vulnerability in WordPress 1.5.2, and possibly other versions before 2.0, allows remote attackers to execute arbitrary SQL commands via the User-Agent field in an HTTP header for a comment. Vulnerabilidad de inyección de SQL en WordPress 1.5.2, y posiblemente otras versiones anteriores a 2.0, permite a atacantes remotos ejecutar órdenes SQL de su elección mediante el campo "User-Agent" en la cabecera HTTP de un comentario. • http://secunia.com/advisories/19109 http://secunia.com/advisories/19123 http://www.gentoo.org/security/en/glsa/glsa-200603-01.xml http://www.securityfocus.com/bid/16950 https://exchange.xforce.ibmcloud.com/vulnerabilities/25321 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.3EPSS: 0%CPEs: 9EXPL: 1

WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6) wp-admin/edit-form-comment.php, which leaks the path in an error message related to undefined functions or failed includes. NOTE: the wp-admin/menu-header.php vector is already covered by CVE-2005-2110. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors were also reported to affect WordPress 2.0.1. • http://NeoSecurityTeam.net/advisories/Advisory-17.txt http://echo.or.id/adv/adv24-theday-2005.txt http://securityreason.com/securityalert/286 http://www.securityfocus.com/archive/1/419994/100/0/threaded http://www.securityfocus.com/archive/1/419999/100/0/threaded http://www.securityfocus.com/archive/1/426304/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 8.8EPSS: 8%CPEs: 8EXPL: 2

Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie. • https://www.exploit-db.com/exploits/16895 http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0234.html http://secunia.com/advisories/16386 - • CWE-94: Improper Control of Generation of Code ('Code Injection') •