Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
wordpress wordpress 3.8 vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2023-7247
The Login as User or Customer WordPress plugin up to and including 3.8 does not prevent users to log in as any other user on the site.
NA
CVE-2022-36417
Multiple Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in 3D Tag Cloud plugin <= 3.8 at WordPress.
3d Tag Cloud Project 3d Tag Cloud
4.3
CVSSv2
CVE-2022-1560
The Amministrazione Aperta WordPress plugin prior to 3.8 does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. The original advisory mentions that unauthenticated users can exploit this, however the affected file ge...
Amministrazione Aperta Project Amministrazione Aperta
6.5
CVSSv2
CVE-2021-24747
The SEO Booster WordPress plugin prior to 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL inj...
Cleverplugins Seo Booster
6.5
CVSSv2
CVE-2021-24253
The Classyfrieds WordPress plugin up to and including 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing featu...
3.5
CVSSv2
CVE-2018-20153
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
Wordpress Wordpress
Debian Debian Linux 8.0
Debian Debian Linux 9.0
1 Github repository
3.5
CVSSv2
CVE-2018-20149
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
Wordpress Wordpress
Debian Debian Linux 9.0
Debian Debian Linux 8.0
5
CVSSv2
CVE-2018-20151
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was...
Wordpress Wordpress
Debian Debian Linux 9.0
Debian Debian Linux 8.0
5.5
CVSSv2
CVE-2018-20147
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
Wordpress Wordpress
Debian Debian Linux 9.0
Debian Debian Linux 8.0
7.5
CVSSv2
CVE-2018-20148
In WordPress prior to 4.9.9 and 5.x prior to 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-i...
Wordpress Wordpress
Debian Debian Linux 8.0
Debian Debian Linux 9.0
2 Github repositories
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
spoof
CVE-2024-34928
CVE-2024-5291
deserialization
CVE-2024-4471
CVE-2024-4956
CVE-2024-32002
CVE-2024-5227
unspecified
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
NEXT »