Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

wordpress vulnerabilities and exploits

(subscribe to this query)
6.4
CVSSv2

CVE-2013-0235

The XMLRPC API in WordPress prior to 3.5.1 allows remote malicious users to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.
Wordpress WordpressWordpress Wordpress 0.71Wordpress Wordpress 1.0Wordpress Wordpress 1.0.1Wordpress Wordpress 1.0.2Wordpress Wordpress 1.1.1Wordpress Wordpress 1.2Wordpress Wordpress 1.2.1Wordpress Wordpress 1.2.2Wordpress Wordpress 1.2.3Wordpress Wordpress 1.2.4Wordpress Wordpress 1.2.5
4.3
CVSSv2

CVE-2013-0236

Multiple cross-site scripting (XSS) vulnerabilities in WordPress prior to 3.5.1 allow remote malicious users to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post.
Wordpress WordpressWordpress Wordpress 0.71Wordpress Wordpress 1.0Wordpress Wordpress 1.0.1Wordpress Wordpress 1.0.2Wordpress Wordpress 1.1.1Wordpress Wordpress 1.2Wordpress Wordpress 1.2.1Wordpress Wordpress 1.2.2Wordpress Wordpress 1.2.3Wordpress Wordpress 1.2.4Wordpress Wordpress 1.2.5
10
CVSSv2

CVE-2009-2853

Wordpress prior to 2.8.3 allows remote malicious users to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.p...
Wordpress Wordpress 0.71Wordpress Wordpress 0.72Wordpress Wordpress 0.711Wordpress Wordpress 1.0Wordpress Wordpress 1.0.1Wordpress Wordpress 1.2Wordpress Wordpress 1.2.1Wordpress Wordpress 1.2.2Wordpress Wordpress 1.5Wordpress Wordpress 1.5.1Wordpress Wordpress 1.5.1.3Wordpress Wordpress 1.5.2
5.8
CVSSv2

CVE-2010-5293

wp-includes/comment.php in WordPress prior to 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote malicious users to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match.
Wordpress WordpressWordpress Wordpress 2.0Wordpress Wordpress 2.0.1Wordpress Wordpress 2.0.2Wordpress Wordpress 2.0.4Wordpress Wordpress 2.0.5Wordpress Wordpress 2.0.6Wordpress Wordpress 2.0.7Wordpress Wordpress 2.0.8Wordpress Wordpress 2.0.9Wordpress Wordpress 2.0.10Wordpress Wordpress 2.0.11
4.3
CVSSv2

CVE-2010-5294

Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress prior to 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH c...
Wordpress WordpressWordpress Wordpress 2.0Wordpress Wordpress 2.0.1Wordpress Wordpress 2.0.2Wordpress Wordpress 2.0.4Wordpress Wordpress 2.0.5Wordpress Wordpress 2.0.6Wordpress Wordpress 2.0.7Wordpress Wordpress 2.0.8Wordpress Wordpress 2.0.9Wordpress Wordpress 2.0.10Wordpress Wordpress 2.0.11
4.3
CVSSv2

CVE-2010-5295

Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress prior to 3.0.2 might allow remote malicious users to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action.
Wordpress WordpressWordpress Wordpress 2.0Wordpress Wordpress 2.0.1Wordpress Wordpress 2.0.2Wordpress Wordpress 2.0.4Wordpress Wordpress 2.0.5Wordpress Wordpress 2.0.6Wordpress Wordpress 2.0.7Wordpress Wordpress 2.0.8Wordpress Wordpress 2.0.9Wordpress Wordpress 2.0.10Wordpress Wordpress 2.0.11
4.9
CVSSv2

CVE-2010-5296

wp-includes/capabilities.php in WordPress prior to 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.
Wordpress WordpressWordpress Wordpress 2.0Wordpress Wordpress 2.0.1Wordpress Wordpress 2.0.2Wordpress Wordpress 2.0.4Wordpress Wordpress 2.0.5Wordpress Wordpress 2.0.6Wordpress Wordpress 2.0.7Wordpress Wordpress 2.0.8Wordpress Wordpress 2.0.9Wordpress Wordpress 2.0.10Wordpress Wordpress 2.0.11
7.5
CVSSv2

CVE-2008-2146

wp-includes/vars.php in Wordpress prior to 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote malicious users to bypass intended access restrictions for certain pages.
Wordpress WordpressWordpress Wordpress 0.6.2Wordpress Wordpress 0.6.2.1Wordpress Wordpress 0.7Wordpress Wordpress 0.71Wordpress Wordpress 0.711Wordpress Wordpress 1.0Wordpress Wordpress 1.0.1Wordpress Wordpress 1.0.2Wordpress Wordpress 1.2Wordpress Wordpress 1.2.1Wordpress Wordpress 1.2.2
4.9
CVSSv2

CVE-2009-2334

wp-admin/admin.php in WordPress and WordPress MU prior to 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote malicious users to specify a configuration file in the page parameter to obtain sensitive information or mod...
Wordpress WordpressWordpress Wordpress 0.6.2Wordpress Wordpress 0.6.2.1Wordpress Wordpress 0.7Wordpress Wordpress 0.71Wordpress Wordpress 0.71-goldWordpress Wordpress 0.72Wordpress Wordpress 0.711Wordpress Wordpress 1.0Wordpress Wordpress 1.0-platinumWordpress Wordpress 1.0.1Wordpress Wordpress 1.0.1-miles
5
CVSSv2

CVE-2009-2432

WordPress and WordPress MU prior to 2.8.1 allow remote malicious users to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message.
Wordpress WordpressWordpress Wordpress 0.6.2Wordpress Wordpress 0.6.2.1Wordpress Wordpress 0.7Wordpress Wordpress 0.71Wordpress Wordpress 0.71-goldWordpress Wordpress 0.72Wordpress Wordpress 0.711Wordpress Wordpress 1.0Wordpress Wordpress 1.0-platinumWordpress Wordpress 1.0.1Wordpress Wordpress 1.0.1-miles
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
path traversalCVE-2025-2657CVE-2025-30066CVE-2025-24813apache commons vfsCVE-2025-2478validationCVE-2025-2674code injectionmedical card generation systemmicrosoft edge (chromium-based)CVE-2025-2688cicadascms
Home
/
Search Results
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook