CVE-2003-1598
- EPSS 2.9%
- Veröffentlicht 01.10.2014 14:55:08
- Zuletzt bearbeitet 06.05.2026 22:30:45
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.
CVE-2014-5240
- EPSS 2.2%
- Veröffentlicht 18.08.2014 11:15:27
- Zuletzt bearbeitet 06.05.2026 22:30:45
Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a cr...
- EPSS 3.09%
- Veröffentlicht 18.08.2014 11:15:27
- Zuletzt bearbeitet 06.05.2026 22:30:45
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of...
- EPSS 24.39%
- Veröffentlicht 18.08.2014 11:15:27
- Zuletzt bearbeitet 06.05.2026 22:30:45
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption...
CVE-2014-5203
- EPSS 3.89%
- Veröffentlicht 18.08.2014 11:15:26
- Zuletzt bearbeitet 06.05.2026 22:30:45
wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.
CVE-2014-5204
- EPSS 1.85%
- Veröffentlicht 18.08.2014 11:15:26
- Zuletzt bearbeitet 06.05.2026 22:30:45
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a b...
CVE-2014-5205
- EPSS 1.83%
- Veröffentlicht 18.08.2014 11:15:26
- Zuletzt bearbeitet 06.05.2026 22:30:45
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack...
CVE-2014-2053
- EPSS 4.68%
- Veröffentlicht 04.06.2014 14:55:03
- Zuletzt bearbeitet 06.05.2026 22:30:45
getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
CVE-2014-0166
- EPSS 8.93%
- Veröffentlicht 10.04.2014 00:55:09
- Zuletzt bearbeitet 06.05.2026 22:30:45
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a f...
- EPSS 2.37%
- Veröffentlicht 10.04.2014 00:55:06
- Zuletzt bearbeitet 06.05.2026 22:30:45
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php.