Wordpress: >> Wordpress >> 2.8.1 Security Vulnerabilities
Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.
CVSS Score
4.3
EPSS Score
0.024
Published
2009-08-18
WP-Syntax plugin 0.9.1 and earlier for Wordpress, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via the test_filter[wp_head] array parameter to test/index.php, which is used in a call to the call_user_func_array function.
CVSS Score
6.8
EPSS Score
0.03
Published
2009-08-18
Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/.
CVSS Score
10.0
EPSS Score
0.014
Published
2009-08-18
Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/.
CVSS Score
6.4
EPSS Score
0.013
Published
2009-08-18
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
CVSS Score
7.5
EPSS Score
0.687
Published
2009-08-13
PHP remote file inclusion vulnerability in template/album.php in DM Albums 1.9.2, as used standalone or as a WordPress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the SECURITY_FILE parameter.
CVSS Score
9.3
EPSS Score
0.019
Published
2009-07-09
SQL injection vulnerability in BTE_RW_webajax.php in the Related Sites plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the guid parameter.
CVSS Score
7.5
EPSS Score
0.005
Published
2009-07-08
PHP remote file inclusion vulnerability in firestats-wordpress.php in the FireStats plugin before 1.6.2-stable for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the fs_javascript parameter.
CVSS Score
7.5
EPSS Score
0.012
Published
2009-06-22
SQL injection vulnerability in the FireStats plugin before 1.6.2-stable for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVSS Score
7.5
EPSS Score
0.006
Published
2009-06-22
SQL injection vulnerability in viewimg.php in the Paolo Palmonari Photoracer plugin 1.0 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVSS Score
7.5
EPSS Score
0.01
Published
2009-06-19