Application: WordPress
Affected Version: version 2.0.7 and other versions.
Vendor’s URL: WP-RecentComments Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Application: Drupal
Affected Version: versions prior to 6.23 and versions prior to 7.11.
Vendor’s URL: Drupal
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to the latest version.

Access Bypass, Content Management

Application: WordPress
Affected Version: version 1.1.4 and prior versions.
Vendor’s URL: Magn Drag and Drop Upload Plugin
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 1.2.0.

Content Management, File Inclusion

Application: Joomla!
Affected Version: version 2.7.13a and other versions.
Vendor’s URL: DT Register Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Filter malicious characters and character sequences using a proxy.

Content Management, SQL Injection

Application: WordPress
Affected Version: version 3.2 and other versions.
Vendor’s URL: SB Uploader Plugin
Bug Type: File Upload
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Content Management, File Inclusion

Application: WordPress
Affected Version: version 2.0.5 and other versions.
Vendor’s URL: Absolute Privacy Plugin
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Access Bypass, Content Management

Application: Drupal
Affected Version: versions prior to 7.x-1.2.
Vendor’s URL: Faster Permissions Module
Bug Type: Security Bypass
Risk Level:

Solution:
Update to version 7.x-1.2.

Access Bypass, Content Management

Application: WordPress
Affected Version: version 0.14 and prior versions.
Vendor’s URL: Relocate Upload Plugin
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Update to version 0.20.

Content Management, File Inclusion

Application: Drupal
Affected Version: versions 7.x-1.6 and prior.
Vendor’s URL: Finder Module
Bug Type: Cross Site Scripting and system bypass
Risk Level: Critical

Solution:
The script insertion vulnerabilities are fixed in version 7.x-2.0-alpha8. Edit the source code to ensure that input is properly sanitised.

Access Bypass, Content Management, Cross Site Scripting

Application: ImpressCMS
Affected Version: version 1.3 Final and prior versions.
Vendor’s URL: ImpressCMS
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 1.2.7 Final or 1.3.1 Final.

Content Management, Cross Site Scripting

Application: Joomla!
Affected Version: version 1.3.5 and other versions.
Vendor’s URL: Simple File Upload Module
Bug Type: File Upload
Risk Level: Critical

Solution:
Restrict access to the upload folder (e.g. via .htaccess).

Content Management, File Inclusion

Application: Joomla!
Affected Version: version 1.9.3 and other versions.
Vendor’s URL: JE Story Submit Component
Bug Type: File Upload
Risk Level: Critical

Solution:
Restrict access to the upload folder (e.g. via .htaccess).

Content Management, File Inclusion

Application: WordPress
Affected Version: version 1.2 and other versions.
Vendor’s URL: Kish Guest Posting Plugin
Bug Type: File Upload
Risk Level: Critical

Solution:
Restrict access to wp-content/plugins/kish-guest-posting/uploadify/scripts/uploadify.php (e.g. via .htaccess).

Content Management, File Inclusion

Application: WordPress
Affected Version: version 0.7 and other versions
Vendor’s URL: Theme Tuner Plugin
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Update to version 0.8.

Content Management, File Inclusion

Application: WordPress
Affected Version: version 1.1.8 and prior versions.
Vendor’s URL: AllWebMenus Plugin
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 1.1.9.

Content Management, File Inclusion

Application: WordPress
Affected Version: versions prior to 3.8.7.6.
Vendor’s URL: WP e-Commerce
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 3.8.7.6.

Content Management, SQL Injection

Application: WordPress
Affected Version: version 1.0.09 and other versions.
Vendor’s URL: uCan Post Plugin
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Application: WordPress
Affected Version: versions prior to 1.9.1.
Vendor’s URL: NextGEN Gallery Plugin
Bug Type: Input Sanitisation
Risk Level: Critical

Solution:
Update to version 1.9.1.

Content Management

Application: WordPress
Affected Version: version 1.0.8.1 and other versions.
Vendor’s URL: myEASYbackup Plugin
Bug Type: File Disclosure
Risk Level: Critical

Solution:
Update to version 1.0.9.

Content Management, Information Disclosure

Application: phpMyDirectory
Affected Version: version 1.3.3 and other versions.
Vendor’s URL: phpMyDirectory
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Filter malicious characters and character sequences using a proxy.

General Purpose Directories, SQL Injection