WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.

The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text.

WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors.

Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors.

Unrestricted file upload vulnerability in font-upload.php in the Font Uploader plugin 1.2.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file with a .php.ttf extension, then accessing it via a direct request to the file in font-uploader/fonts.

The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.

The make_clickable function in wp-includes/formatting.php in WordPress ...

Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 all ...

The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.

Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.