WordPress
by WordPress
Source repositories
CVEs (377)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-10102 | Med | 0.33 | 6.1 | 0.05 | Apr 16, 2018 | Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | ||
| CVE-2018-10101 | Med | 0.33 | 6.1 | 0.03 | Apr 16, 2018 | Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. | ||
| CVE-2018-10100 | Med | 0.33 | 6.1 | 0.03 | Apr 16, 2018 | Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. | ||
| CVE-2018-5776 | Med | 0.33 | 6.1 | 0.02 | Jan 18, 2018 | WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). | ||
| CVE-2017-14726 | Med | 0.33 | 6.1 | 0.03 | Sep 23, 2017 | Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. | ||
| CVE-2017-14724 | Med | 0.33 | 6.1 | 0.03 | Sep 23, 2017 | Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. | ||
| CVE-2017-14721 | Med | 0.33 | 6.1 | 0.02 | Sep 23, 2017 | Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. | ||
| CVE-2017-14720 | Med | 0.33 | 6.1 | 0.02 | Sep 23, 2017 | Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. | ||
| CVE-2017-14718 | Med | 0.33 | 6.1 | 0.02 | Sep 23, 2017 | Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. | ||
| CVE-2017-9063 | Med | 0.33 | 6.1 | 0.02 | May 18, 2017 | In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. | ||
| CVE-2017-9061 | Med | 0.33 | 6.1 | 0.02 | May 18, 2017 | In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. | ||
| CVE-2017-6818 | Med | 0.33 | 6.1 | 0.03 | Mar 12, 2017 | In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. | ||
| CVE-2017-6815 | Med | 0.33 | 6.1 | 0.03 | Mar 12, 2017 | In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. | ||
| CVE-2017-5612 | Med | 0.33 | 6.1 | 0.03 | Jan 30, 2017 | Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. | ||
| CVE-2016-5834 | Med | 0.33 | 6.1 | 0.02 | Jun 29, 2016 | Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. | ||
| CVE-2016-5833 | Med | 0.33 | 6.1 | 0.02 | Jun 29, 2016 | Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than… | ||
| CVE-2016-4567 | Med | 0.33 | 6.1 | 0.06 | May 22, 2016 | Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by… | ||
| CVE-2016-4566 | Med | 0.33 | 6.1 | 0.05 | May 22, 2016 | Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. | ||
| CVE-2016-1564 | Med | 0.33 | 6.1 | 0.03 | May 22, 2016 | Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. | ||
| CVE-2015-8834 | Med | 0.33 | 6.1 | 0.02 | May 22, 2016 | Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability… |
- risk 0.33cvss 6.1epss 0.05
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
- risk 0.33cvss 6.1epss 0.03
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
- risk 0.33cvss 6.1epss 0.03
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
- risk 0.33cvss 6.1epss 0.02
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
- risk 0.33cvss 6.1epss 0.03
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
- risk 0.33cvss 6.1epss 0.03
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
- risk 0.33cvss 6.1epss 0.02
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
- risk 0.33cvss 6.1epss 0.02
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
- risk 0.33cvss 6.1epss 0.02
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.
- risk 0.33cvss 6.1epss 0.02
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
- risk 0.33cvss 6.1epss 0.02
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
- risk 0.33cvss 6.1epss 0.03
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.
- risk 0.33cvss 6.1epss 0.03
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.
- risk 0.33cvss 6.1epss 0.03
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.
- risk 0.33cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.
- risk 0.33cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than…
- risk 0.33cvss 6.1epss 0.06
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by…
- risk 0.33cvss 6.1epss 0.05
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.
- risk 0.33cvss 6.1epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.
- risk 0.33cvss 6.1epss 0.02
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability…
Page 4 of 19