Bitnami package

wordpress-multisite

pkg:bitnami/wordpress-multisite

Vulnerabilities (64)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-3906	Med	4.3	>= 6.9.0, < 6.9.2	6.9.2	Mar 11, 2026	WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permi
CVE-2025-58674	Med	5.9	< 6.8.3	6.8.3	Sep 23, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author
CVE-2025-58246	Med	4.3	< 6.8.3	6.8.3	Sep 23, 2025	Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges require
CVE-2023-23814	Low	3.8	< 1.4.15	1.4.15	Dec 9, 2024	Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CP Multi View Event Calendar : from n/a through 1.4.13.
CVE-2024-12028	Med	5.3	< 3.2.2	3.2.2	Dec 6, 2024	The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of a
CVE-2022-4973		—	< 3.6.2	3.6.2	Oct 16, 2024	WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary
CVE-2024-8665		—	< 1.7.4	1.7.4	Sep 13, 2024	The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary
CVE-2024-43337		—	< 0.7.1	0.7.1	Aug 26, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.7.0.
CVE-2024-32111	Med	5.0	>= 4.1.0, < 4.1.41	4.1.41	Jun 25, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6
CVE-2024-31111	Med	6.5	>= 5.9.0, < 5.9.10	5.9.10	Jun 25, 2024	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6
CVE-2024-6307	Med	6.4	>= 5.9.0, < 5.9.10	5.9.10	Jun 25, 2024	WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inje
CVE-2024-3992		—	< 3.3.2	3.3.2	Jun 14, 2024	The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-35655	Med	5.9	< 0.7.0	0.7.0	Jun 4, 2024	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brave Brave brave-popup-builder allows DOM-Based XSS.This issue affects Brave: from n/a through <= 0.6.9.
CVE-2023-28492	Med	4.3	< 1.4.11	1.4.11	Jun 3, 2024	Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10.
CVE-2024-3756		—	< 1.2.2	1.2.2	May 6, 2024	The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack
CVE-2024-3755		—	< 1.2.2	1.2.2	May 6, 2024	The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multis
CVE-2024-4439		—	>= 6.0.0, < 6.0.8	6.0.8	May 3, 2024	WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and ab
CVE-2023-5692	Med	5.3	< 6.5.0	6.5.0	Apr 5, 2024	WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set
CVE-2024-31211		—	>= 6.4.0, < 6.4.2	6.4.2	Apr 4, 2024	WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
CVE-2024-31210		—	< 4.1.40	4.1.40	Apr 4, 2024	WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installati

CVE-2026-3906MedMar 11, 2026
affected >= 6.9.0, < 6.9.2fixed 6.9.2
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permi
CVE-2025-58674MedSep 23, 2025
affected < 6.8.3fixed 6.8.3
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author
CVE-2025-58246MedSep 23, 2025
affected < 6.8.3fixed 6.8.3
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges require
CVE-2023-23814LowDec 9, 2024
affected < 1.4.15fixed 1.4.15
Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CP Multi View Event Calendar : from n/a through 1.4.13.
CVE-2024-12028MedDec 6, 2024
affected < 3.2.2fixed 3.2.2
The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of a
CVE-2022-4973Oct 16, 2024
affected < 3.6.2fixed 3.6.2
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary
CVE-2024-8665Sep 13, 2024
affected < 1.7.4fixed 1.7.4
The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary
CVE-2024-43337Aug 26, 2024
affected < 0.7.1fixed 0.7.1
Cross-Site Request Forgery (CSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.7.0.
CVE-2024-32111MedJun 25, 2024
affected >= 4.1.0, < 4.1.41fixed 4.1.41
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6
CVE-2024-31111MedJun 25, 2024
affected >= 5.9.0, < 5.9.10fixed 5.9.10
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6
CVE-2024-6307MedJun 25, 2024
affected >= 5.9.0, < 5.9.10fixed 5.9.10
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inje
CVE-2024-3992Jun 14, 2024
affected < 3.3.2fixed 3.3.2
The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-35655MedJun 4, 2024
affected < 0.7.0fixed 0.7.0
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brave Brave brave-popup-builder allows DOM-Based XSS.This issue affects Brave: from n/a through <= 0.6.9.
CVE-2023-28492MedJun 3, 2024
affected < 1.4.11fixed 1.4.11
Missing Authorization vulnerability in CodePeople CP Multi View Event Calendar allows Functionality Misuse.This issue affects CP Multi View Event Calendar: from n/a through 1.4.10.
CVE-2024-3756May 6, 2024
affected < 1.2.2fixed 1.2.2
The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack
CVE-2024-3755May 6, 2024
affected < 1.2.2fixed 1.2.2
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multis
CVE-2024-4439May 3, 2024
affected >= 6.0.0, < 6.0.8fixed 6.0.8
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and ab
CVE-2023-5692MedApr 5, 2024
affected < 6.5.0fixed 6.5.0
WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set
CVE-2024-31211Apr 4, 2024
affected >= 6.4.0, < 6.4.2fixed 6.4.2
WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
CVE-2024-31210Apr 4, 2024
affected < 4.1.40fixed 4.1.40
WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installati

Page 1 of 4