Bitnami package

wordpress-multisite

pkg:bitnami/wordpress-multisite

Vulnerabilities (64)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-30453	Med	5.4	< 0.6.6	0.6.6	Mar 29, 2024	Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.6.5.
CVE-2023-51474	Hig	8.8	< 2.0.4	2.0.4	Mar 16, 2024	Cross-Site Request Forgery (CSRF) vulnerability in Pixelemu TerraClassifieds.This issue affects TerraClassifieds: from n/a through 2.0.3.
CVE-2023-5561		—	>= 4.7.0, < 4.7.27	4.7.27	Oct 16, 2023	WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
CVE-2023-39999		—	>= 4.1.0, < 4.1.39	4.1.39	Oct 13, 2023	Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through
CVE-2023-38000		—	>= 5.9.0, < 5.9.8	5.9.8	Oct 13, 2023	Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.
CVE-2023-2745	Med	5.4	< 4.1.38	4.1.38	May 17, 2023	WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file on
CVE-2023-22622		—	< 6.1.2	6.1.2	Jan 5, 2023	WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the
CVE-2022-3590		—	>= 4.1.0, < 4.1.1	4.1.1	Dec 14, 2022	WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2022-43504		—	< 3.7.40	3.7.40	Dec 5, 2022	Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versio
CVE-2022-43500		—	< 3.7.40	3.7.40	Dec 5, 2022	Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
CVE-2022-43497		—	< 3.7.40	3.7.40	Dec 5, 2022	Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
CVE-2022-21662		—	< 5.8.3	5.8.3	Jan 6, 2022	WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. Th
CVE-2022-21663		—	< 5.8.3	5.8.3	Jan 6, 2022	WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPr
CVE-2022-21664		—	< 5.8.3	5.8.3	Jan 6, 2022	WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3
CVE-2022-21661		—	>= 3.7.0, < 3.7.37	3.7.37	Jan 6, 2022	WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patc
CVE-2021-44223		—	< 5.8.0	5.8.0	Nov 25, 2021	WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPr
CVE-2021-39203		—	>= 5.8-beta1.0, <= 5.8-beta1.0	—	Sep 9, 2021	WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain c
CVE-2021-39202		—	>= 5.8-beta1.0, <= 5.8-beta1.0	—	Sep 9, 2021	WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to store
CVE-2021-39201		—	>= 5.0.0, < 5.8.0	5.8.0	Sep 9, 2021	WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions im
CVE-2021-39200		—	>= 5.2.0, < 5.8.1	5.8.1	Sep 9, 2021	WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to p

CVE-2024-30453MedMar 29, 2024
affected < 0.6.6fixed 0.6.6
Server-Side Request Forgery (SSRF) vulnerability in Brave Brave Popup Builder.This issue affects Brave Popup Builder: from n/a through 0.6.5.
CVE-2023-51474HigMar 16, 2024
affected < 2.0.4fixed 2.0.4
Cross-Site Request Forgery (CSRF) vulnerability in Pixelemu TerraClassifieds.This issue affects TerraClassifieds: from n/a through 2.0.3.
CVE-2023-5561Oct 16, 2023
affected >= 4.7.0, < 4.7.27fixed 4.7.27
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
CVE-2023-39999Oct 13, 2023
affected >= 4.1.0, < 4.1.39fixed 4.1.39
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through
CVE-2023-38000Oct 13, 2023
affected >= 5.9.0, < 5.9.8fixed 5.9.8
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.
CVE-2023-2745MedMay 17, 2023
affected < 4.1.38fixed 4.1.38
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file on
CVE-2023-22622Jan 5, 2023
affected < 6.1.2fixed 6.1.2
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the
CVE-2022-3590Dec 14, 2022
affected >= 4.1.0, < 4.1.1fixed 4.1.1
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2022-43504Dec 5, 2022
affected < 3.7.40fixed 3.7.40
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versio
CVE-2022-43500Dec 5, 2022
affected < 3.7.40fixed 3.7.40
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
CVE-2022-43497Dec 5, 2022
affected < 3.7.40fixed 3.7.40
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
CVE-2022-21662Jan 6, 2022
affected < 5.8.3fixed 5.8.3
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. Th
CVE-2022-21663Jan 6, 2022
affected < 5.8.3fixed 5.8.3
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPr
CVE-2022-21664Jan 6, 2022
affected < 5.8.3fixed 5.8.3
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3
CVE-2022-21661Jan 6, 2022
affected >= 3.7.0, < 3.7.37fixed 3.7.37
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patc
CVE-2021-44223Nov 25, 2021
affected < 5.8.0fixed 5.8.0
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPr
CVE-2021-39203Sep 9, 2021
affected >= 5.8-beta1.0, <= 5.8-beta1.0
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain c
CVE-2021-39202Sep 9, 2021
affected >= 5.8-beta1.0, <= 5.8-beta1.0
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to store
CVE-2021-39201Sep 9, 2021
affected >= 5.0.0, < 5.8.0fixed 5.8.0
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions im
CVE-2021-39200Sep 9, 2021
affected >= 5.2.0, < 5.8.1fixed 5.8.1
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to p

Page 2 of 4