VYPR

WordPress

by WordPress

Source repositories

CVEs (377)

  • CVE-2018-10102MedApr 16, 2018
    risk 0.33cvss 6.1epss 0.05

    Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

  • CVE-2018-10101MedApr 16, 2018
    risk 0.33cvss 6.1epss 0.03

    Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

  • CVE-2018-10100MedApr 16, 2018
    risk 0.33cvss 6.1epss 0.03

    Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

  • CVE-2018-5776MedJan 18, 2018
    risk 0.33cvss 6.1epss 0.02

    WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

  • CVE-2017-14726MedSep 23, 2017
    risk 0.33cvss 6.1epss 0.03

    Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.

  • CVE-2017-14724MedSep 23, 2017
    risk 0.33cvss 6.1epss 0.03

    Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.

  • CVE-2017-14721MedSep 23, 2017
    risk 0.33cvss 6.1epss 0.02

    Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.

  • CVE-2017-14720MedSep 23, 2017
    risk 0.33cvss 6.1epss 0.02

    Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.

  • CVE-2017-14718MedSep 23, 2017
    risk 0.33cvss 6.1epss 0.02

    Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.

  • CVE-2017-9063MedMay 18, 2017
    risk 0.33cvss 6.1epss 0.02

    In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.

  • CVE-2017-9061MedMay 18, 2017
    risk 0.33cvss 6.1epss 0.02

    In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.

  • CVE-2017-6818MedMar 12, 2017
    risk 0.33cvss 6.1epss 0.03

    In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.

  • CVE-2017-6815MedMar 12, 2017
    risk 0.33cvss 6.1epss 0.03

    In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.

  • CVE-2017-5612MedJan 30, 2017
    risk 0.33cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.

  • CVE-2016-5834MedJun 29, 2016
    risk 0.33cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.

  • CVE-2016-5833MedJun 29, 2016
    risk 0.33cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than…

  • CVE-2016-4567MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.06

    Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by…

  • CVE-2016-4566MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.05

    Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.

  • CVE-2016-1564MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.

  • CVE-2015-8834MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability…

Page 4 of 19