cpe:2.3:a:wordpress:wordpress:2.7.1:*:*:*:*:*:*:*
Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable).
Max CVSS
3.5
EPSS Score
0.34%
Published
2009-11-17
Updated
2017-11-22
Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename.
Max CVSS
6.0
EPSS Score
1.26%
Published
2009-11-17
Updated
2017-11-21
Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8" substrings, related to the mb_convert_encoding function in PHP.
Max CVSS
4.3
EPSS Score
3.36%
Published
2009-10-23
Updated
2017-11-21
Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/.
Max CVSS
6.4
EPSS Score
0.30%
Published
2009-08-18
Updated
2017-11-22
Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/.
Max CVSS
10.0
EPSS Score
1.39%
Published
2009-08-18
Updated
2017-11-16
Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.
Max CVSS
4.3
EPSS Score
0.45%
Published
2009-08-18
Updated
2017-12-07
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
Max CVSS
7.5
EPSS Score
92.66%
Published
2009-08-13
Updated
2017-11-22
WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message.
Max CVSS
5.0
EPSS Score
0.82%
Published
2009-07-10
Updated
2018-10-10
WordPress 2.7.1 places the username of a post's author in an HTML comment, which allows remote attackers to obtain sensitive information by reading the HTML source.
Max CVSS
5.0
EPSS Score
0.62%
Published
2009-07-10
Updated
2018-10-10
The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Max CVSS
5.0
EPSS Score
0.66%
Published
2009-07-10
Updated
2018-11-08

CVE-2009-2335

Public exploit
WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience."
Max CVSS
5.0
EPSS Score
96.95%
Published
2009-07-10
Updated
2018-11-08
wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.
Max CVSS
4.9
EPSS Score
18.27%
Published
2009-07-10
Updated
2018-10-10
12 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!