Wordpress: >> Wordpress Security Vulnerabilities
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress allows remote attackers to bypass authentication via a crafted integer in the step parameter.
CVSS Score
7.5
EPSS Score
0.003
Published
2013-04-02
importbuddy.php in the BackupBuddy plugin 2.2.25 for WordPress allows remote attackers to obtain configuration information via a step 0 phpinfo action, which calls the phpinfo function.
CVSS Score
5.0
EPSS Score
0.003
Published
2013-04-02
Cross-site scripting (XSS) vulnerability in the Terillion Reviews plugin before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ProfileId field.
CVSS Score
4.3
EPSS Score
0.062
Published
2013-03-22
ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks via unspecified vectors related to "formData=save" requests, a different version than CVE-2013-0731.
CVSS Score
5.0
EPSS Score
0.004
Published
2013-03-22
ajax.functions.php in the MailUp plugin before 1.3.3 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks by setting the wordpress_logged_in cookie. NOTE: this is due to an incomplete fix for a similar issue that was fixed in 1.3.2.
CVSS Score
5.0
EPSS Score
0.006
Published
2013-03-22
Cross-site scripting (XSS) vulnerability in lazyest-backup.php in the Lazyest Backup plugin before 0.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xml_or_all parameter.
CVSS Score
4.3
EPSS Score
0.005
Published
2013-02-12
Cross-site scripting (XSS) vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter. NOTE: this has been disputed by a third party.
CVSS Score
4.3
EPSS Score
0.061
Published
2013-02-12
Multiple cross-site scripting (XSS) vulnerabilities in the Classipress theme before 3.1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) twitter_id parameter related to the Twitter widget and (2) facebook_id parameter related to the Facebook widget.
CVSS Score
4.3
EPSS Score
0.042
Published
2013-02-12
Cross-site scripting (XSS) vulnerability in assets/player.swf in the Audio Player plugin before 2.0.4.6 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the playerID parameter.
CVSS Score
4.3
EPSS Score
0.035
Published
2013-02-07
Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVSS Score
2.6
EPSS Score
0.004
Published
2013-01-31