Search for packages
| purl | pkg:deb/debian/wordpress@4.1%2Bdfsg-1 |
| Next non-vulnerable version | 6.8.3+dfsg1-0+deb13u1 |
| Latest non-vulnerable version | 6.8.3+dfsg1-0+deb13u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14aw-pv9d-ekhs
Aliases: CVE-2020-28037 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-14q3-c99q-bffg
Aliases: CVE-2015-7989 |
Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-16xh-7w1r-hba3
Aliases: CVE-2016-5839 |
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-17qe-nccb-sfag
Aliases: CVE-2019-16220 |
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-19ps-rfnj-ebc2
Aliases: CVE-2019-17671 |
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-1a4f-z6ee-ybbb
Aliases: CVE-2016-5834 |
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-1a8p-u6dd-byde
Aliases: CVE-2016-5833 |
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. |
Affected by 92 other vulnerabilities. |
|
VCID-1ckk-y6u5-2bg7
Aliases: CVE-2017-14723 |
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-1jjh-thmp-8qd6
Aliases: CVE-2025-58246 |
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. |
Affected by 2 other vulnerabilities. |
|
VCID-2brj-ncs1-y7du
Aliases: CVE-2021-29447 |
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-2d1x-n1xx-abdy
Aliases: CVE-2020-28040 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-2dfn-gmsk-nfdc
Aliases: CVE-2015-2213 |
SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-2jjz-wjg4-abf6
Aliases: CVE-2020-4046 |
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 7 other vulnerabilities. |
|
VCID-2ymb-ujfy-bqac
Aliases: CVE-2018-10101 |
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
Affected by 63 other vulnerabilities. |
|
VCID-2ynn-67cx-1bax
Aliases: CVE-2023-2745 |
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. |
Affected by 7 other vulnerabilities. |
|
VCID-2yqy-vpeh-z3ev
Aliases: CVE-2017-14719 |
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-3ntn-sayw-3ufc
Aliases: CVE-2015-3438 |
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-3rqn-c28j-3kf7
Aliases: CVE-2020-11026 |
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-43dd-pzfc-t7ad
Aliases: CVE-2017-1001000 |
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. |
Affected by 92 other vulnerabilities. |
|
VCID-44dc-pe8q-d7gr
Aliases: CVE-2016-6635 |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-45r4-tvap-93hq
Aliases: CVE-2021-29476 GHSA-52qp-jpq7-6c54 |
Deserialization of Untrusted Data Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. |
Affected by 7 other vulnerabilities. |
|
VCID-46vm-86cp-5bd9
Aliases: CVE-2017-14724 |
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
Affected by 63 other vulnerabilities. |
|
VCID-4fxg-z4ve-tug6
Aliases: CVE-2020-11030 |
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 7 other vulnerabilities. |
|
VCID-4j2n-v8e2-n3d6
Aliases: CVE-2017-5492 |
multiple issues |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-4jwg-pg54-d7hr
Aliases: CVE-2017-1000600 |
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
Affected by 63 other vulnerabilities. |
|
VCID-4nvv-b487-y7e4
Aliases: CVE-2020-4050 |
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-4rsg-tmp9-q3hp
Aliases: CVE-2019-16219 |
WordPress before 5.2.3 allows XSS in shortcode previews. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-549h-mzq2-zffe
Aliases: CVE-2020-4049 |
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-58c8-14q3-pbc5
Aliases: CVE-2017-8295 |
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-59vn-wwep-jkhj
Aliases: CVE-2020-4047 |
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-5eer-y812-dydv
Aliases: CVE-2017-16510 |
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-5fxz-g788-s7e9
Aliases: CVE-2019-17669 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-5pup-kgdy-7qgr
Aliases: CVE-2016-5832 |
The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-69ua-dy2s-vbhg
Aliases: CVE-2022-21661 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-6cgd-3gdj-hua6
Aliases: CVE-2016-5835 |
WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-6qrr-7egy-v7gh
Aliases: CVE-2016-1564 |
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-6u8g-8x7f-b7bb
Aliases: CVE-2018-20153 |
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-7g6e-71z5-2qbw
Aliases: CVE-2016-4029 |
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-87ak-rgyr-7qgd
Aliases: CVE-2017-14726 |
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-8bsb-hgw9-nygc
Aliases: CVE-2015-5734 |
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-8cej-dba9-8ufz
Aliases: CVE-2017-6818 |
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. |
Affected by 92 other vulnerabilities. |
|
VCID-8v6f-3sja-ukf3
Aliases: CVE-2018-10100 |
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-9495-a8zg-u3fj
Aliases: CVE-2017-6814 |
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-9kvv-9dug-53em
Aliases: CVE-2019-17672 |
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-9wm5-txht-ukbf
Aliases: CVE-2018-10102 |
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-atfu-p1bf-nqgk
Aliases: CVE-2017-5493 |
multiple issues |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ayjr-hr33-syfr
Aliases: CVE-2015-3429 |
Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-b399-wc8a-wbbz
Aliases: CVE-2018-20152 |
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-b3pk-4whw-7uhu
Aliases: CVE-2022-43500 |
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. |
Affected by 7 other vulnerabilities. |
|
VCID-b682-wkpy-7ffj
Aliases: CVE-2024-31111 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9. |
Affected by 2 other vulnerabilities. |
|
VCID-bsrc-zrnr-1kan
Aliases: CVE-2017-14721 |
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-bvbf-vb8r-afa1
Aliases: CVE-2021-39200 |
information disclosure |
Affected by 7 other vulnerabilities. |
|
VCID-c33q-s42e-eyhs
Aliases: CVE-2016-5837 |
WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-c9fz-yptv-9khn
Aliases: CVE-2017-14718 |
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-cdd4-8q84-vue9
Aliases: CVE-2016-6897 |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. |
Affected by 92 other vulnerabilities. |
|
VCID-cj33-h6kk-s7ht
Aliases: CVE-2019-20042 |
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-cz2c-kdyu-bff9
Aliases: CVE-2015-5730 |
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-d143-b9ws-xbfb
Aliases: CVE-2016-7169 |
multiple issues |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-dapt-94r6-hqek
Aliases: CVE-2015-5732 |
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-dauy-7a55-wkaf
Aliases: CVE-2024-31210 |
WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable. |
Affected by 7 other vulnerabilities. |
|
VCID-dbwd-rp71-fkfn
Aliases: CVE-2022-4973 |
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. |
Affected by 7 other vulnerabilities. |
|
VCID-dctu-2n1a-pkfy
Aliases: CVE-2017-9064 |
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-dpk1-runp-pbfm
Aliases: CVE-2020-28038 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-dsrt-8rc7-w7hb
Aliases: CVE-2021-39201 |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-dxht-xtce-myae
Aliases: CVE-2020-11027 |
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-dyhm-9v3u-87cs
Aliases: CVE-2017-6819 |
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. |
Affected by 92 other vulnerabilities. |
|
VCID-dztn-g6tp-p7hs
Aliases: CVE-2017-6817 |
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-e6gz-2eyy-z3c4
Aliases: CVE-2019-16223 |
WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ejq2-w9hr-5fdy
Aliases: CVE-2020-25286 |
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-epzv-yjc3-rfb5
Aliases: CVE-2017-6815 |
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-eu98-xttk-pbbj
Aliases: CVE-2020-28032 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-f4xs-ryt4-yqd8
Aliases: CVE-2019-17673 |
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fe9q-kykp-m7h1
Aliases: CVE-2017-17094 |
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-fean-kh3y-hub5
Aliases: CVE-2017-14990 |
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-fh3e-9a4w-4uc7
Aliases: CVE-2020-28034 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fpdz-s2wj-wkaq
Aliases: CVE-2016-6634 |
Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-g62c-gvgx-4qbh
Aliases: CVE-2020-4048 |
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-gfsz-2cdj-27eg
Aliases: CVE-2016-5836 |
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
Affected by 92 other vulnerabilities. |
|
VCID-ghbj-tsw7-t7hh
Aliases: CVE-2019-20043 |
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-gnzp-c32h-s3fk
Aliases: CVE-2018-12895 |
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges. |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-hfkf-dbke-6fdm
Aliases: CVE-2019-17675 |
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-hq3r-rgb5-pbch
Aliases: CVE-2017-9063 |
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-juwu-drm6-6kh3
Aliases: CVE-2017-14725 |
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-k1mb-d89c-hfah
Aliases: CVE-2024-6307 |
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Affected by 2 other vulnerabilities. |
|
VCID-kcsk-68w5-pyew
Aliases: CVE-2016-6896 |
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. |
Affected by 92 other vulnerabilities. |
|
VCID-kv4q-f3qr-9qct
Aliases: CVE-2022-21663 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-kxnw-4kb5-kyde
Aliases: CVE-2017-14720 |
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-kyw4-6fg2-wyab
Aliases: CVE-2019-16221 |
WordPress before 5.2.3 allows reflected XSS in the dashboard. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-m1sd-29v3-yuhx
Aliases: CVE-2017-6816 |
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-m7wf-su66-w3ck
Aliases: CVE-2025-58674 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. |
Affected by 2 other vulnerabilities. |
|
VCID-me8e-z5y6-eygu
Aliases: DSA-5279-2 wordpress |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-mg9f-c4t1-kkfj
Aliases: CVE-2016-4566 |
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. |
Affected by 92 other vulnerabilities. |
|
VCID-mks2-64jg-97bv
Aliases: CVE-2015-3439 |
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-mr7z-mfz3-9bhm
Aliases: CVE-2017-5489 |
multiple issues |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-mszv-nwtz-yfc1
Aliases: CVE-2018-20150 |
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-mxrj-1czt-zqd8
Aliases: CVE-2020-28035 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-nrd2-nsrz-uyef
Aliases: CVE-2022-21664 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-p66z-a8th-zye8
Aliases: CVE-2015-5715 |
The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-p7r2-g8wj-6fha
Aliases: CVE-2015-8834 |
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-pjuk-25hx-yycm
Aliases: CVE-2017-9065 |
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-pkqc-ufuf-sfhu
Aliases: CVE-2019-9787 |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
Affected by 7 other vulnerabilities. |
|
VCID-pkxk-hbhs-13ca
Aliases: CVE-2017-17092 |
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-pww3-ez3f-n3av
Aliases: CVE-2015-5731 |
Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-pzxy-b1pr-wqgf
Aliases: CVE-2018-20147 |
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-q5g1-gaat-ruak
Aliases: CVE-2018-20151 |
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-qd3z-zv51-jfha
Aliases: CVE-2017-5611 |
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-qhf5-wsdq-pyad
Aliases: CVE-2016-10148 |
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. |
Affected by 92 other vulnerabilities. |
|
VCID-qp7n-4s3c-6qhp
Aliases: CVE-2018-5776 |
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
Affected by 63 other vulnerabilities. |
|
VCID-qs91-8ygn-nqch
Aliases: CVE-2017-17091 |
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-qx65-y71k-2qau
Aliases: CVE-2020-11025 |
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-rcwa-qhwg-qqgf
Aliases: CVE-2016-2221 |
Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-rke2-tdkd-pbag
Aliases: CVE-2017-9066 |
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
Affected by 92 other vulnerabilities. |
|
VCID-rqfx-c8ub-gqfd
Aliases: CVE-2017-5612 |
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ryeh-8kus-1bc5
Aliases: CVE-2019-17674 |
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-scs7-a2fa-xqad
Aliases: CVE-2020-28039 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-segt-uewd-j7f2
Aliases: CVE-2015-3440 |
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-t78k-a5p3-ekd3
Aliases: CVE-2020-28033 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-tcx2-vbrr-xbbs
Aliases: CVE-2015-5714 |
Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-tdyq-g7qp-ekcf
Aliases: CVE-2019-16218 |
WordPress before 5.2.3 allows XSS in stored comments. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-th7b-r5hb-xubs
Aliases: CVE-2019-16222 |
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-thze-51nr-t3c2
Aliases: CVE-2018-20148 |
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-tnp3-48bm-f7ak
Aliases: DSA-3332-2 wordpress |
regression update |
Affected by 152 other vulnerabilities. |
|
VCID-u2g8-1k4q-cud5
Aliases: CVE-2020-11028 |
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-udwx-b2q5-wfh8
Aliases: CVE-2017-17093 |
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-uet7-ayb1-k7be
Aliases: CVE-2017-5488 |
multiple issues |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-uh2s-rh42-g3dp
Aliases: CVE-2018-20149 |
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-ukah-fz6r-jfe2
Aliases: CVE-2022-43497 |
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. |
Affected by 7 other vulnerabilities. |
|
VCID-utzm-sjm8-3qdh
Aliases: CVE-2019-16781 |
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-uvp8-atns-buap
Aliases: CVE-2017-9061 |
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-v28c-t67z-8bh1
Aliases: CVE-2017-5490 |
multiple issues |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-v2yx-kp5s-e3b2
Aliases: CVE-2015-5733 |
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. |
Affected by 92 other vulnerabilities. |
|
VCID-v9aa-vn8u-tfag
Aliases: CVE-2016-7168 |
multiple issues |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-v9kx-rgup-abah
Aliases: CVE-2015-5622 |
Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-vp57-uu3b-p7a8
Aliases: CVE-2015-5623 |
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-w468-s3yn-f3g5
Aliases: CVE-2023-5561 |
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack |
Affected by 7 other vulnerabilities. |
|
VCID-w5m3-hthy-5kfb
Aliases: CVE-2019-16780 |
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-w7u7-ghcz-dfaa
Aliases: CVE-2017-5610 |
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-wkxe-dtxv-17e6
Aliases: CVE-2022-43504 |
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7. |
Affected by 7 other vulnerabilities. |
|
VCID-ws42-mg4c-4kga
Aliases: CVE-2020-28036 |
multiple issues |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-wtzt-7dy5-8fgr
Aliases: CVE-2019-16217 |
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-wu41-pj8w-bfdg
Aliases: CVE-2016-2222 |
The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-xd3p-y51v-jyah
Aliases: CVE-2023-39999 |
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38. |
Affected by 7 other vulnerabilities. |
|
VCID-xras-kgw1-d7ch
Aliases: CVE-2020-11029 |
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-xsaq-r2ru-hfan
Aliases: CVE-2022-21662 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-xsyx-j96p-jucj
Aliases: CVE-2019-17670 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. |
Affected by 7 other vulnerabilities. |
|
VCID-xycz-421s-uqhw
Aliases: CVE-2021-29450 |
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-xyfj-8a78-h7da
Aliases: CVE-2016-5838 |
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-y66s-wy16-afa8
Aliases: CVE-2019-8942 |
arbitrary code execution |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-y6j6-qe38-3qef
Aliases: CVE-2017-9062 |
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ywfg-12xc-v3a6
Aliases: CVE-2019-20041 |
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-yxa4-etp6-8uhd
Aliases: CVE-2017-14722 |
Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-zay2-3jb2-dkdj
Aliases: CVE-2017-5491 |
multiple issues |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-zbgp-mh7h-quad
Aliases: DSA-3681-2 wordpress |
regression update |
Affected by 152 other vulnerabilities. |
|
VCID-zbqa-xsg6-fqaz
Aliases: CVE-2017-5487 |
multiple issues |
Affected by 92 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1nv4-xsxn-rqfm | wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource. |
CVE-2014-9038
|
| VCID-2aq8-35ze-mfb2 | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. |
CVE-2014-5265
|
| VCID-3rmm-42vm-hbgh | wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. |
CVE-2013-4340
|
| VCID-3srm-2c94-3ba2 | WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. |
CVE-2016-9263
|
| VCID-4qgz-r538-tue6 | wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. |
CVE-2014-9039
|
| VCID-531v-haqq-1ydn | The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. |
CVE-2014-0166
|
| VCID-6877-zgq5-f3fm | The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. |
CVE-2014-5266
|
| VCID-7jam-5u4u-3qfz | Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
CVE-2014-9032
|
| VCID-86qc-4eay-nqh7 | getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. |
CVE-2014-2053
GHSA-5v43-55m5-qr8f |
| VCID-aaed-8fjf-9kc4 | wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data. |
CVE-2014-5203
|
| VCID-f7py-hd2z-4bg4 | WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. |
CVE-2014-0165
|
| VCID-jjrh-ks8y-7yey | Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. |
CVE-2014-9033
|
| VCID-mp7w-74vc-dqa3 | Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post. |
CVE-2014-9031
|
| VCID-nq4c-xfxt-8fau | wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
CVE-2014-5204
|
| VCID-ny5x-3x9s-2kcg | wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
CVE-2014-5205
|
| VCID-pdbx-7mtr-yya1 | WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. |
CVE-2014-9037
|
| VCID-qfr6-1q5v-mqav | wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016. |
CVE-2014-9034
|
| VCID-qjxx-4awt-c7cq | The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. |
CVE-2013-5738
|
| VCID-qvub-dp47-vbat | WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. |
CVE-2013-4339
|
| VCID-stra-6431-kyew | Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
CVE-2014-9035
|
| VCID-tc8g-gatd-sfgy | wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. |
CVE-2013-4338
|
| VCID-xyrb-ygv3-wfd4 | Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post. |
CVE-2014-9036
|
| VCID-y9z1-2yhb-f3bt | Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. |
CVE-2014-5240
|
| VCID-z4tr-5bg6-mqcp | The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. |
CVE-2013-5739
|