VYPR

WordPress

by WordPress

Source repositories

CVEs (377)

  • CVE-2017-14719HigSep 23, 2017
    risk 0.50cvss 7.5epss 0.13

    Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

  • CVE-2017-9064HigMay 18, 2017
    risk 0.50cvss 8.8epss 0.02

    In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.

  • CVE-2017-5489HigJan 15, 2017
    risk 0.50cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.

  • CVE-2017-14722HigSep 23, 2017
    risk 0.49cvss 7.5epss 0.08

    Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.

  • CVE-2017-9066HigMay 18, 2017
    risk 0.49cvss 8.6epss 0.04

    In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.

  • CVE-2017-9062HigMay 18, 2017
    risk 0.49cvss 8.6epss 0.02

    In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.

  • CVE-2017-5493HigJan 15, 2017
    risk 0.49cvss 7.5epss 0.03

    wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

  • CVE-2014-6412HigApr 12, 2018
    risk 0.46cvss 8.1epss 0.05

    WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

  • CVE-2017-5487MedJan 15, 2017
    risk 0.44cvss 5.3epss 0.87

    wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

  • CVE-2026-5717MedApr 15, 2026
    risk 0.42cvss 6.4epss 0.00

    The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on…

  • CVE-2026-5506MedApr 8, 2026
    risk 0.42cvss 6.4epss 0.00

    The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for…

  • CVE-2024-31111MedJun 25, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from…

  • CVE-2024-6307MedJun 25, 2024
    risk 0.42cvss 6.4epss 0.00

    WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to…

  • CVE-2012-6707HigOct 19, 2017
    risk 0.42cvss 7.5epss 0.01

    WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as…

  • CVE-2017-14990MedOct 3, 2017
    risk 0.42cvss 6.5epss 0.02

    WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access…

  • CVE-2017-9065HigMay 18, 2017
    risk 0.42cvss 7.5epss 0.04

    In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.

  • CVE-2016-5839HigJun 29, 2016
    risk 0.42cvss 7.5epss 0.03

    WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.

  • CVE-2016-5838HigJun 29, 2016
    risk 0.42cvss 7.5epss 0.03

    WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.

  • CVE-2016-5837HigJun 29, 2016
    risk 0.42cvss 7.5epss 0.04

    WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.

  • CVE-2016-5836HigJun 29, 2016
    risk 0.42cvss 7.5epss 0.04

    The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.

Page 2 of 19