VYPR

WordPress

by WordPress

Source repositories

CVEs (377)

  • CVE-2016-5835HigJun 29, 2016
    risk 0.42cvss 7.5epss 0.04

    WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.

  • CVE-2016-5832HigJun 29, 2016
    risk 0.42cvss 7.5epss 0.03

    The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.

  • CVE-2016-6897MedJan 18, 2017
    risk 0.41cvss 6.5epss 0.28

    Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to…

  • CVE-2016-2221HigMay 22, 2016
    risk 0.41cvss 7.4epss 0.05

    Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as…

  • CVE-2023-54358MedApr 9, 2026
    risk 0.40cvss 6.1epss 0.00

    WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile…

  • CVE-2018-1000556MedJun 26, 2018
    risk 0.40cvss 6.1epss 0.01

    WordPress version 4.8 + contains a Cross Site Scripting (XSS) vulnerability in plugins.php or core wordpress on delete function that can result in An attacker can perform client side attacks which could be from stealing a cookie to code injection. This attack appear to be…

  • CVE-2017-5490MedJan 15, 2017
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to…

  • CVE-2017-5488MedJan 15, 2017
    risk 0.40cvss 6.1epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.

  • CVE-2016-6634MedAug 7, 2016
    risk 0.40cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2023-2745MedMay 17, 2023
    risk 0.37cvss 5.4epss 0.80

    WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation…

  • CVE-2017-8295MedMay 4, 2017
    risk 0.36cvss 5.9epss 0.27

    WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be…

  • CVE-2021-47948MedMay 10, 2026
    risk 0.35cvss 5.4epss 0.00

    WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text…

  • CVE-2023-5692MedApr 5, 2024
    risk 0.35cvss 5.3epss 0.01

    WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set…

  • CVE-2017-6819MedMar 12, 2017
    risk 0.35cvss 6.5epss 0.02

    In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.

  • CVE-2017-5491MedJan 15, 2017
    risk 0.35cvss 5.3epss 0.03

    wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

  • CVE-2006-6016MedNov 21, 2006
    risk 0.35cvss 6.5epss 0.02

    wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter.

  • CVE-2006-6017MedNov 21, 2006
    risk 0.35cvss 6.5epss 0.02

    WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote authenticated users to cause a denial of service (application crash) via a string that represents a (1) malformed or (2) large serialized…

  • CVE-2005-1688MedMay 20, 2005
    risk 0.35cvss 5.3epss 0.02

    Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message.

  • CVE-2016-7169MedJan 5, 2017
    risk 0.34cvss 6.3epss 0.03

    Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.

  • CVE-2024-32111MedJun 25, 2024
    risk 0.33cvss 5.0epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from…

Page 3 of 19