VYPR

WordPress

by WordPress

Source repositories

CVEs (377)

  • CVE-2008-0193Jan 10, 2008
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php.

  • CVE-2007-2821May 22, 2007
    risk 0.03cvss epss 0.05

    SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter.

  • CVE-2006-0733Feb 16, 2006
    risk 0.03cvss epss 0.05

    Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE: followup comments to the researcher's web log suggest…

  • CVE-2021-44223Nov 25, 2021
    risk 0.02cvss epss 0.29

    WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the…

  • CVE-2019-17671Oct 17, 2019
    risk 0.02cvss epss 0.36

    In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

  • CVE-2023-22622Jan 5, 2023
    risk 0.01cvss epss 0.02

    WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither…

  • CVE-2020-28032Oct 31, 2020
    risk 0.01cvss epss 0.16

    WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

  • CVE-2020-28037Oct 31, 2020
    risk 0.01cvss epss 0.08

    is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old…

  • CVE-2020-28038Oct 31, 2020
    risk 0.01cvss epss 0.03

    WordPress before 5.5.2 allows stored XSS via post slugs.

  • CVE-2020-28035Oct 31, 2020
    risk 0.01cvss epss 0.04

    WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

  • CVE-2018-14028HigAug 10, 2018
    risk 0.01cvss 7.2epss 0.18

    In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an…

  • CVE-2025-11154Oct 27, 2025
    risk 0.00cvss epss 0.00

    The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.

  • CVE-2024-2643May 15, 2025
    risk 0.00cvss epss 0.00

    The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.6.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting…

  • CVE-2024-12282May 15, 2025
    risk 0.00cvss epss 0.00

    The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

  • CVE-2024-10388Nov 19, 2024
    risk 0.00cvss epss 0.00

    The WordPress GDPR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_firstname' and 'gdpr_lastname' parameters in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2024-11069Nov 19, 2024
    risk 0.00cvss epss 0.00

    The WordPress GDPR plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'WordPress_GDPR_Data_Delete::check_action' function in all versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to…

  • CVE-2022-4973Oct 16, 2024
    risk 0.00cvss epss 0.00

    WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary…

  • CVE-2024-4439May 3, 2024
    risk 0.00cvss epss 0.71

    WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and…

  • CVE-2024-31211Apr 4, 2024
    risk 0.00cvss epss 0.03

    WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.

  • CVE-2024-31210Apr 4, 2024
    risk 0.00cvss epss 0.01

    WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for…

Page 7 of 19