CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Wordpress » Wordpress » 2.3.3 : Security Vulnerabilities

Cpe Name:cpe:/a:wordpress:wordpress:2.3.3
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-16223 79 XSS 2019-09-11 2019-09-12
3.5
None Remote Medium Single system None Partial None
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
2 CVE-2019-16222 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
3 CVE-2019-16221 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows reflected XSS in the dashboard.
4 CVE-2019-16220 601 2019-09-11 2019-09-12
5.8
None Remote Medium Not required Partial Partial None
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.
5 CVE-2019-16219 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in shortcode previews.
6 CVE-2019-16218 79 XSS 2019-09-11 2019-09-15
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in stored comments.
7 CVE-2019-16217 79 XSS 2019-09-11 2019-09-11
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
8 CVE-2019-9787 352 Exec Code XSS CSRF 2019-03-14 2019-03-31
6.8
None Remote Medium Not required Partial Partial Partial
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
9 CVE-2019-8942 94 Exec Code 2019-02-19 2019-04-25
6.5
None Remote Low Single system Partial Partial Partial
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
10 CVE-2018-20153 79 XSS 2018-12-14 2019-01-04
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
11 CVE-2018-20152 20 Bypass 2018-12-14 2019-01-04
5.0
None Remote Low Not required None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
12 CVE-2018-20151 200 +Info 2018-12-14 2019-01-04
5.0
None Remote Low Not required Partial None None
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.
13 CVE-2018-20150 79 XSS 2018-12-14 2019-01-04
4.3
None Remote Medium Not required None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.
14 CVE-2018-20149 79 XSS Bypass 2018-12-14 2019-01-04
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
15 CVE-2018-20148 502 2018-12-14 2019-01-04
7.5
None Remote Low Not required Partial Partial Partial
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
16 CVE-2018-20147 287 Bypass 2018-12-14 2019-10-02
5.5
None Remote Low Single system None Partial Partial
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
17 CVE-2018-12895 22 Exec Code Dir. Trav. 2018-06-26 2018-08-20
6.5
None Remote Low Single system Partial Partial Partial
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
18 CVE-2018-10102 79 XSS 2018-04-16 2018-05-18
4.3
None Remote Medium Not required None Partial None
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
19 CVE-2018-10101 601 2018-04-16 2018-06-02
5.8
None Remote Medium Not required Partial Partial None
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
20 CVE-2018-10100 601 2018-04-16 2018-05-18
5.8
None Remote Medium Not required Partial Partial None
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
21 CVE-2018-5776 79 XSS 2018-01-18 2018-02-01
4.3
None Remote Medium Not required None Partial None
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
22 CVE-2017-1000600 20 Exec Code 2018-09-06 2018-10-26
6.5
None Remote Low Single system Partial Partial Partial
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9
23 CVE-2014-6412 640 2018-04-12 2018-05-17
5.0
None Remote Low Not required Partial None None
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
24 CVE-2014-0166 287 2014-04-09 2017-12-15
6.4
None Remote Low Not required Partial Partial None
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.
25 CVE-2014-0165 264 2014-04-09 2017-12-15
4.0
None Remote Low Single system None Partial None
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php.
26 CVE-2013-2205 79 XSS Bypass 2013-07-08 2016-12-30
4.3
None Remote Medium Not required None Partial None
The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.
27 CVE-2013-2204 20 2013-07-08 2013-08-13
4.3
None Remote Medium Not required None Partial None
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.
28 CVE-2013-2203 264 +Info 2013-07-08 2013-09-10
4.3
None Remote Medium Not required Partial None None
WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message.
29 CVE-2013-2202 200 +Info 2013-07-08 2013-10-07
4.3
None Remote Medium Not required Partial None None
WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
30 CVE-2013-2201 79 XSS 2013-07-08 2013-09-10
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of media files, (2) editing of media files, (3) installation of plugins, (4) updates to plugins, (5) installation of themes, or (6) updates to themes.
31 CVE-2013-2200 264 Bypass 2013-07-08 2013-08-13
4.0
None Remote Low Single system None Partial None
WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors.
32 CVE-2013-2199 264 2013-07-08 2013-08-13
4.3
None Remote Medium Not required None Partial None
The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235.
33 CVE-2013-0237 79 XSS 2013-07-08 2013-07-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter.
34 CVE-2013-0236 79 XSS 2013-07-08 2013-07-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post.
35 CVE-2013-0235 2013-07-08 2013-07-08
6.4
None Remote Low Not required Partial Partial None
The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.
36 CVE-2012-4422 264 2012-09-14 2012-09-17
3.5
None Remote Medium Single system None Partial None
wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role.
37 CVE-2012-4421 264 Bypass 2012-09-14 2012-09-17
4.0
None Remote Low Single system None Partial None
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.
38 CVE-2012-3385 264 +Info 2012-07-22 2012-07-23
5.0
None Remote Low Not required Partial None None
WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors.
39 CVE-2012-3384 352 CSRF 2012-07-22 2012-08-09
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
40 CVE-2012-2404 79 XSS 2012-04-21 2017-12-18
4.3
None Remote Medium Not required None Partial None
wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
41 CVE-2012-2403 79 XSS 2012-04-21 2017-12-18
4.3
None Remote Medium Not required None Partial None
wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.
42 CVE-2012-2402 264 Bypass 2012-04-21 2017-12-18
5.5
None Remote Low Single system None Partial Partial
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors.
43 CVE-2012-2401 264 Bypass 2012-04-21 2017-12-18
5.0
None Remote Low Not required None Partial None
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.
44 CVE-2012-2400 2012-04-21 2017-12-18
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.
45 CVE-2012-2399 XSS 2012-04-21 2017-12-18
10.0
None Remote Low Not required Complete Complete Complete
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.
46 CVE-2012-1936 352 1 CSRF 2012-05-03 2017-12-13
6.8
None Remote Medium Not required Partial Partial Partial
** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations.
47 CVE-2012-0937 1 DoS 2012-01-30 2012-01-31
5.0
None Remote Low Not required None None Partial
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time.
48 CVE-2012-0782 79 1 XSS 2012-01-30 2012-01-31
4.3
None Remote Medium Not required None Partial None
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance.
49 CVE-2011-4957 20 DoS 2012-06-27 2012-06-28
5.0
None Remote Low Not required None None Partial
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.
50 CVE-2011-4956 79 XSS 2012-06-27 2012-06-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Total number of vulnerabilities : 63   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.