WordPress
by WordPress
Source repositories
CVEs (377)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-17674 | 0.00 | — | 0.02 | Oct 17, 2019 | WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. | |||
| CVE-2019-17669 | 0.00 | — | 0.05 | Oct 17, 2019 | WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. | |||
| CVE-2019-17670 | 0.00 | — | 0.05 | Oct 17, 2019 | WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. | |||
| CVE-2019-16217 | 0.00 | — | 0.02 | Sep 11, 2019 | WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. | |||
| CVE-2019-16219 | 0.00 | — | 0.02 | Sep 11, 2019 | WordPress before 5.2.3 allows XSS in shortcode previews. | |||
| CVE-2019-16221 | 0.00 | — | 0.02 | Sep 11, 2019 | WordPress before 5.2.3 allows reflected XSS in the dashboard. | |||
| CVE-2019-16222 | 0.00 | — | 0.02 | Sep 11, 2019 | WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. | |||
| CVE-2019-16223 | 0.00 | — | 0.05 | Sep 11, 2019 | WordPress before 5.2.3 allows XSS in post previews by authenticated users. | |||
| CVE-2019-16220 | 0.00 | — | 0.03 | Sep 11, 2019 | In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. | |||
| CVE-2019-16218 | 0.00 | — | 0.02 | Sep 11, 2019 | WordPress before 5.2.3 allows XSS in stored comments. | |||
| CVE-2017-6514 | 0.00 | — | 0.03 | May 22, 2019 | WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring. | |||
| CVE-2019-9787 | 0.00 | — | 0.44 | Mar 14, 2019 | WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed… | |||
| CVE-2018-20151 | 0.00 | — | 0.07 | Dec 14, 2018 | In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by… | |||
| CVE-2018-20153 | 0.00 | — | 0.02 | Dec 14, 2018 | In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. | |||
| CVE-2018-20148 | 0.00 | — | 0.31 | Dec 14, 2018 | In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in… | |||
| CVE-2018-20150 | 0.00 | — | 0.05 | Dec 14, 2018 | In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. | |||
| CVE-2018-20147 | 0.00 | — | 0.04 | Dec 14, 2018 | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. | |||
| CVE-2018-20149 | 0.00 | — | 0.03 | Dec 14, 2018 | In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. | |||
| CVE-2018-20152 | 0.00 | — | 0.04 | Dec 14, 2018 | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. | |||
| CVE-2015-5734 | 0.00 | — | 0.07 | Nov 9, 2015 | Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string. |
- CVE-2019-17674Oct 17, 2019risk 0.00cvss —epss 0.02
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
- CVE-2019-17669Oct 17, 2019risk 0.00cvss —epss 0.05
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
- CVE-2019-17670Oct 17, 2019risk 0.00cvss —epss 0.05
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
- CVE-2019-16217Sep 11, 2019risk 0.00cvss —epss 0.02
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
- CVE-2019-16219Sep 11, 2019risk 0.00cvss —epss 0.02
WordPress before 5.2.3 allows XSS in shortcode previews.
- CVE-2019-16221Sep 11, 2019risk 0.00cvss —epss 0.02
WordPress before 5.2.3 allows reflected XSS in the dashboard.
- CVE-2019-16222Sep 11, 2019risk 0.00cvss —epss 0.02
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
- CVE-2019-16223Sep 11, 2019risk 0.00cvss —epss 0.05
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
- CVE-2019-16220Sep 11, 2019risk 0.00cvss —epss 0.03
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
- CVE-2019-16218Sep 11, 2019risk 0.00cvss —epss 0.02
WordPress before 5.2.3 allows XSS in stored comments.
- CVE-2017-6514May 22, 2019risk 0.00cvss —epss 0.03
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.
- CVE-2019-9787Mar 14, 2019risk 0.00cvss —epss 0.44
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed…
- CVE-2018-20151Dec 14, 2018risk 0.00cvss —epss 0.07
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by…
- CVE-2018-20153Dec 14, 2018risk 0.00cvss —epss 0.02
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
- CVE-2018-20148Dec 14, 2018risk 0.00cvss —epss 0.31
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in…
- CVE-2018-20150Dec 14, 2018risk 0.00cvss —epss 0.05
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.
- CVE-2018-20147Dec 14, 2018risk 0.00cvss —epss 0.04
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
- CVE-2018-20149Dec 14, 2018risk 0.00cvss —epss 0.03
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
- CVE-2018-20152Dec 14, 2018risk 0.00cvss —epss 0.04
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
- CVE-2015-5734Nov 9, 2015risk 0.00cvss —epss 0.07
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string.
Page 10 of 19