wordpress vulnerabilities and exploits

4.3
CVSSv2
CVE-2008-0192

Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php....

Wordpress
4.3
CVSSv2
CVE-2019-16221

WordPress before 5.2.3 allows reflected XSS in the dashboard....

7.5
CVSSv2
CVE-2008-0194

Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to...

6.8
CVSSv2
CVE-2007-0107

WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using...

Wordpress
5.8
CVSSv2
CVE-2016-2221

Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as...

Wordpress
6.8
CVSSv2
CVE-2007-1244

Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform...

Wordpress
5
CVSSv2
CVE-2014-6412

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach....

4.3
CVSSv2
CVE-2010-5294

Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH...

Wordpress
4.3
CVSSv2
CVE-2016-1564

Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php....

Wordpress
5
CVSSv2
CVE-2017-14722

Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename....