VulnerableCode Package Details - pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-gyaq-8pvh-p7gg Aliases: CVE-2012-6707	WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.	6.8.3+dfsg1-0+deb13u1 Affected by 0 other vulnerabilities.
VCID-jghn-eujf-zbdn Aliases: CVE-2023-5692	WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.	6.8.3+dfsg1-0+deb13u1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gyaq-8pvh-p7gg
Aliases:
CVE-2012-6707

WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.

6.8.3+dfsg1-0+deb13u1
Affected by 0 other vulnerabilities.

VCID-jghn-eujf-zbdn
Aliases:
CVE-2023-5692

WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.

6.8.3+dfsg1-0+deb13u1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4g2n-5v12-yuff	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.	CVE-2024-31111
VCID-532z-9qbb-dyfw	Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.	CVE-2025-58246
VCID-m8mf-t2td-67h7	WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	CVE-2024-6307
VCID-yqam-kpce-dfg7	WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.	CVE-2021-44223
VCID-zj9a-shru-e7gs	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.	CVE-2025-58674

Vulnerability

Summary

Aliases

VCID-4g2n-5v12-yuff

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.

CVE-2024-31111

VCID-532z-9qbb-dyfw

Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.

CVE-2025-58246

VCID-m8mf-t2td-67h7

WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2024-6307

VCID-yqam-kpce-dfg7

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

CVE-2021-44223

VCID-zj9a-shru-e7gs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.

CVE-2025-58674

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:33:26.543073+00:00	Debian Importer	Affected by	VCID-gyaq-8pvh-p7gg	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:37:24.493533+00:00	Debian Importer	Fixing	VCID-yqam-kpce-dfg7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:41:48.462333+00:00	Debian Importer	Affected by	VCID-jghn-eujf-zbdn	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-15T22:02:19.005899+00:00	Debian Oval Importer	Fixing	VCID-m8mf-t2td-67h7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T17:12:32.544771+00:00	Debian Oval Importer	Fixing	VCID-zj9a-shru-e7gs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T17:10:33.987492+00:00	Debian Oval Importer	Fixing	VCID-532z-9qbb-dyfw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T17:08:31.501954+00:00	Debian Oval Importer	Fixing	VCID-4g2n-5v12-yuff	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-13T08:36:00.689989+00:00	Debian Importer	Affected by	VCID-gyaq-8pvh-p7gg	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:55:19.271636+00:00	Debian Importer	Fixing	VCID-yqam-kpce-dfg7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T21:40:28.671841+00:00	Debian Oval Importer	Fixing	VCID-m8mf-t2td-67h7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T18:26:58.721925+00:00	Debian Importer	Affected by	VCID-jghn-eujf-zbdn	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T16:59:09.687059+00:00	Debian Oval Importer	Fixing	VCID-zj9a-shru-e7gs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T16:57:05.985039+00:00	Debian Oval Importer	Fixing	VCID-532z-9qbb-dyfw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T16:55:05.720496+00:00	Debian Oval Importer	Fixing	VCID-4g2n-5v12-yuff	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-08T21:18:26.871304+00:00	Debian Oval Importer	Fixing	VCID-m8mf-t2td-67h7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T19:43:38.325417+00:00	Debian Importer	Affected by	VCID-gyaq-8pvh-p7gg	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T19:16:24.926674+00:00	Debian Importer	Fixing	VCID-yqam-kpce-dfg7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T16:48:41.409108+00:00	Debian Oval Importer	Fixing	VCID-zj9a-shru-e7gs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T16:46:45.859783+00:00	Debian Oval Importer	Fixing	VCID-532z-9qbb-dyfw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T16:44:51.277909+00:00	Debian Oval Importer	Fixing	VCID-4g2n-5v12-yuff	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-04T18:10:06.377779+00:00	Debian Importer	Affected by	VCID-jghn-eujf-zbdn	https://security-tracker.debian.org/tracker/data/json	38.1.0