WordPress
by WordPress
Source repositories
CVEs (377)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-5561 | 0.00 | — | 0.04 | Oct 16, 2023 | WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack | |||
| CVE-2023-39999 | 0.00 | — | 0.01 | Oct 13, 2023 | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5… | |||
| CVE-2022-43504 | 0.00 | — | 0.01 | Dec 5, 2022 | Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all… | |||
| CVE-2022-43497 | 0.00 | — | 0.01 | Dec 5, 2022 | Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. | |||
| CVE-2022-43500 | 0.00 | — | 0.01 | Dec 5, 2022 | Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. | |||
| CVE-2011-1762 | 0.00 | — | 0.01 | Apr 18, 2022 | A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission. | |||
| CVE-2022-0220 | 0.00 | — | 0.02 | Feb 1, 2022 | The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be… | |||
| CVE-2022-21662 | 0.00 | — | 0.63 | Jan 6, 2022 | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users.… | |||
| CVE-2022-21663 | 0.00 | — | 0.04 | Jan 6, 2022 | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in… | |||
| CVE-2022-21664 | 0.00 | — | 0.04 | Jan 6, 2022 | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version… | |||
| CVE-2021-39203 | 0.00 | — | 0.01 | Sep 9, 2021 | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain… | |||
| CVE-2021-39202 | 0.00 | — | 0.01 | Sep 9, 2021 | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to… | |||
| CVE-2021-39201 | 0.00 | — | 0.01 | Sep 9, 2021 | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions… | |||
| CVE-2021-39200 | 0.00 | — | 0.02 | Sep 9, 2021 | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to… | |||
| CVE-2021-29450 | 0.00 | — | 0.02 | Apr 15, 2021 | Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions… | |||
| CVE-2020-28033 | 0.00 | — | 0.03 | Oct 31, 2020 | WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. | |||
| CVE-2020-28034 | 0.00 | — | 0.02 | Oct 31, 2020 | WordPress before 5.5.2 allows XSS associated with global variables. | |||
| CVE-2020-28036 | 0.00 | — | 0.05 | Oct 31, 2020 | wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post. | |||
| CVE-2020-28040 | 0.00 | — | 0.01 | Oct 31, 2020 | WordPress before 5.5.2 allows CSRF attacks that change a theme's background image. | |||
| CVE-2020-28039 | 0.00 | — | 0.04 | Oct 31, 2020 | is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. |
- CVE-2023-5561Oct 16, 2023risk 0.00cvss —epss 0.04
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
- CVE-2023-39999Oct 13, 2023risk 0.00cvss —epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5…
- CVE-2022-43504Dec 5, 2022risk 0.00cvss —epss 0.01
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all…
- CVE-2022-43497Dec 5, 2022risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
- CVE-2022-43500Dec 5, 2022risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
- CVE-2011-1762Apr 18, 2022risk 0.00cvss —epss 0.01
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.
- CVE-2022-0220Feb 1, 2022risk 0.00cvss —epss 0.02
The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be…
- CVE-2022-21662Jan 6, 2022risk 0.00cvss —epss 0.63
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users.…
- CVE-2022-21663Jan 6, 2022risk 0.00cvss —epss 0.04
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in…
- CVE-2022-21664Jan 6, 2022risk 0.00cvss —epss 0.04
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version…
- CVE-2021-39203Sep 9, 2021risk 0.00cvss —epss 0.01
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain…
- CVE-2021-39202Sep 9, 2021risk 0.00cvss —epss 0.01
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to…
- CVE-2021-39201Sep 9, 2021risk 0.00cvss —epss 0.01
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions…
- CVE-2021-39200Sep 9, 2021risk 0.00cvss —epss 0.02
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to…
- CVE-2021-29450Apr 15, 2021risk 0.00cvss —epss 0.02
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions…
- CVE-2020-28033Oct 31, 2020risk 0.00cvss —epss 0.03
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
- CVE-2020-28034Oct 31, 2020risk 0.00cvss —epss 0.02
WordPress before 5.5.2 allows XSS associated with global variables.
- CVE-2020-28036Oct 31, 2020risk 0.00cvss —epss 0.05
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
- CVE-2020-28040Oct 31, 2020risk 0.00cvss —epss 0.01
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
- CVE-2020-28039Oct 31, 2020risk 0.00cvss —epss 0.04
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
Page 8 of 19