VYPR

WordPress

by WordPress

Source repositories

CVEs (377)

  • CVE-2015-5714MedMay 22, 2016
    risk 0.33cvss 6.1epss 0.06

    Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags.

  • CVE-2025-58674MedSep 23, 2025
    risk 0.31cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author…

  • CVE-2017-17094MedDec 2, 2017
    risk 0.28cvss 5.4epss 0.02

    wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

  • CVE-2017-17093MedDec 2, 2017
    risk 0.28cvss 5.4epss 0.02

    wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.

  • CVE-2017-17092MedDec 2, 2017
    risk 0.28cvss 5.4epss 0.04

    wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.

  • CVE-2017-14725MedSep 23, 2017
    risk 0.28cvss 5.4epss 0.02

    Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.

  • CVE-2017-6817MedMar 12, 2017
    risk 0.28cvss 5.4epss 0.02

    In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.

  • CVE-2017-6814MedMar 12, 2017
    risk 0.28cvss 5.4epss 0.03

    In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in…

  • CVE-2017-5610MedJan 30, 2017
    risk 0.28cvss 5.3epss 0.05

    wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.

  • CVE-2015-7989MedMay 22, 2016
    risk 0.28cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714.

  • CVE-2026-2519MedApr 9, 2026
    risk 0.27cvss 5.3epss 0.00

    The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation…

  • CVE-2017-6816MedMar 12, 2017
    risk 0.25cvss 4.9epss 0.03

    In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.

  • CVE-2016-9263MedOct 12, 2017
    risk 0.24cvss 4.7epss 0.03

    WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

  • CVE-2016-7168MedJan 5, 2017
    risk 0.24cvss 4.8epss 0.03

    Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted…

  • CVE-2026-3906MedMar 11, 2026
    risk 0.21cvss 4.3epss 0.00

    WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API…

  • CVE-2025-58246MedSep 23, 2025
    risk 0.21cvss 4.3epss 0.00

    Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges…

  • CVE-2016-10148MedJan 18, 2017
    risk 0.21cvss 4.3epss 0.02

    The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin…

  • CVE-2015-5715MedMay 22, 2016
    risk 0.21cvss 4.3epss 0.06

    The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors.

  • CVE-2025-54352LowJul 21, 2025
    risk 0.17cvss 3.7epss 0.00

    WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.

  • CVE-2019-8943Feb 20, 2019
    risk 0.10cvss epss 0.92

    WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the…

Page 5 of 19