{"url":"http://public2.vulnerablecode.io/api/packages/995233?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1","type":"deb","namespace":"debian","name":"wordpress","version":"6.1.9+dfsg1-0+deb12u1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.8.3+dfsg1-0+deb13u1","latest_non_vulnerable_version":"6.8.3+dfsg1-0+deb13u1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92449?format=json","vulnerability_id":"VCID-gyaq-8pvh-p7gg","summary":"WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-6707","reference_id":"","reference_type":"","scores":[{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39508","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39497","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39744","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39893","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39921","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39843","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39899","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39912","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39886","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39867","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39917","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39887","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39807","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39633","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39619","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39533","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39406","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39472","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39488","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39401","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39426","published_at":"2026-05-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-6707"},{"reference_url":"https://core.trac.wordpress.org/ticket/21022","reference_id":"","reference_type":"","scores":[],"url":"https://core.trac.wordpress.org/ticket/21022"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6707","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6707"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880868","reference_id":"880868","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880868"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6707","reference_id":"CVE-2012-6707","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:L/Au:N/C:P/I:N/A:N"},{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-6707"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995234?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1"}],"aliases":["CVE-2012-6707"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gyaq-8pvh-p7gg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95884?format=json","vulnerability_id":"VCID-jghn-eujf-zbdn","summary":"WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including,  6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5692","reference_id":"","reference_type":"","scores":[{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74907","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74935","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74908","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74942","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74954","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74977","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74956","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74946","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.74983","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00855","scoring_system":"epss","scoring_elements":"0.7499","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01055","scoring_system":"epss","scoring_elements":"0.77617","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01055","scoring_system":"epss","scoring_elements":"0.77736","published_at":"2026-05-12T12:55:00Z"},{"value":"0.01055","scoring_system":"epss","scoring_elements":"0.77781","published_at":"2026-05-14T12:55:00Z"},{"value":"0.01055","scoring_system":"epss","scoring_elements":"0.77796","published_at":"2026-05-15T12:55:00Z"},{"value":"0.01055","scoring_system":"epss","scoring_elements":"0.77682","published_at":"2026-05-05T12:55:00Z"},{"value":"0.01055","scoring_system":"epss","scoring_elements":"0.77711","published_at":"2026-05-07T12:55:00Z"},{"value":"0.01055","scoring_system":"epss","scoring_elements":"0.7773","published_at":"2026-05-09T12:55:00Z"},{"value":"0.01055","scoring_system":"epss","scoring_elements":"0.77719","published_at":"2026-05-11T12:55:00Z"},{"value":"0.01084","scoring_system":"epss","scoring_elements":"0.77944","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01084","scoring_system":"epss","scoring_elements":"0.77958","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01084","scoring_system":"epss","scoring_elements":"0.77937","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-5692"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5692","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5692"},{"reference_url":"https://core.trac.wordpress.org/changeset/57645","reference_id":"57645","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:58:59Z/"}],"url":"https://core.trac.wordpress.org/changeset/57645"},{"reference_url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/6e6f993b-ce09-4050-84a1-cbe9953f36b1?source=cve","reference_id":"6e6f993b-ce09-4050-84a1-cbe9953f36b1?source=cve","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:58:59Z/"}],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/6e6f993b-ce09-4050-84a1-cbe9953f36b1?source=cve"},{"reference_url":"https://github.com/WordPress/wordpress-develop/blob/6.3/src/wp-includes/canonical.php#L763","reference_id":"canonical.php#L763","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:58:59Z/"}],"url":"https://github.com/WordPress/wordpress-develop/blob/6.3/src/wp-includes/canonical.php#L763"},{"reference_url":"https://developer.wordpress.org/reference/functions/is_post_publicly_viewable/","reference_id":"is_post_publicly_viewable","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:58:59Z/"}],"url":"https://developer.wordpress.org/reference/functions/is_post_publicly_viewable/"},{"reference_url":"https://developer.wordpress.org/reference/functions/is_post_type_viewable/","reference_id":"is_post_type_viewable","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-05T13:58:59Z/"}],"url":"https://developer.wordpress.org/reference/functions/is_post_type_viewable/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995234?format=json","purl":"pkg:deb/debian/wordpress@6.8.3%2Bdfsg1-0%2Bdeb13u1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.8.3%252Bdfsg1-0%252Bdeb13u1"}],"aliases":["CVE-2023-5692"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jghn-eujf-zbdn"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96062?format=json","vulnerability_id":"VCID-4g2n-5v12-yuff","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-31111","reference_id":"","reference_type":"","scores":[{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62894","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62844","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62803","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62829","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62884","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62681","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62714","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62677","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62729","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62746","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62763","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62753","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.6277","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62778","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62759","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62775","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62791","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.6279","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.62743","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-31111"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31111","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31111"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074486","reference_id":"1074486","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074486"},{"reference_url":"https://wordpress.org/news/2024/06/wordpress-6-5-5/","reference_id":"wordpress-6-5-5","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-25T13:49:17Z/"}],"url":"https://wordpress.org/news/2024/06/wordpress-6-5-5/"},{"reference_url":"https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve","reference_id":"wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-25T13:49:17Z/"}],"url":"https://patchstack.com/database/vulnerability/wordpress/wordpress-wordpress-core-core-6-5-5-cross-site-scripting-xss-via-template-part-vulnerability?_s_id=cve"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995233?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gyaq-8pvh-p7gg"},{"vulnerability":"VCID-jghn-eujf-zbdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1"}],"aliases":["CVE-2024-31111"],"risk_score":2.2,"exploitability":"0.5","weighted_severity":"4.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4g2n-5v12-yuff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96811?format=json","vulnerability_id":"VCID-532z-9qbb-dyfw","summary":"Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58246","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11038","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11099","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.1092","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.10997","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.1105","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11054","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11022","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.10856","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.10869","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11222","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11264","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11319","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11325","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11127","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.1106","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11193","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11255","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.1197","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11914","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.11944","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58246"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58246","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58246"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117047","reference_id":"1117047","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117047"},{"reference_url":"https://wordpress.org/news/2025/09/wordpress-6-8-3-release/","reference_id":"wordpress-6-8-3-release","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-23T18:30:39Z/"}],"url":"https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"},{"reference_url":"https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability?_s_id=cve","reference_id":"wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability?_s_id=cve","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-23T18:30:39Z/"}],"url":"https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-sensitive-data-exposure-vulnerability?_s_id=cve"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995233?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gyaq-8pvh-p7gg"},{"vulnerability":"VCID-jghn-eujf-zbdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1"}],"aliases":["CVE-2025-58246"],"risk_score":1.5,"exploitability":"0.5","weighted_severity":"3.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-532z-9qbb-dyfw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96346?format=json","vulnerability_id":"VCID-m8mf-t2td-67h7","summary":"WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-6307","reference_id":"","reference_type":"","scores":[{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70601","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70488","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70497","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70472","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.7051","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70542","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70511","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70537","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70588","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70356","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70373","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70352","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70397","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70412","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70436","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70421","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70406","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70448","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70457","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00635","scoring_system":"epss","scoring_elements":"0.70437","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-6307"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6307","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6307"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074486","reference_id":"1074486","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074486"},{"reference_url":"https://core.trac.wordpress.org/changeset/58472","reference_id":"58472","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-06T03:09:30Z/"}],"url":"https://core.trac.wordpress.org/changeset/58472"},{"reference_url":"https://core.trac.wordpress.org/changeset/58473","reference_id":"58473","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-06T03:09:30Z/"}],"url":"https://core.trac.wordpress.org/changeset/58473"},{"reference_url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/bc0d36f8-6569-49a1-b722-5cf57c4bb32a?source=cve","reference_id":"bc0d36f8-6569-49a1-b722-5cf57c4bb32a?source=cve","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-06T03:09:30Z/"}],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/bc0d36f8-6569-49a1-b722-5cf57c4bb32a?source=cve"},{"reference_url":"https://wordpress.org/news/2024/06/wordpress-6-5-5/","reference_id":"wordpress-6-5-5","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-06T03:09:30Z/"}],"url":"https://wordpress.org/news/2024/06/wordpress-6-5-5/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995233?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gyaq-8pvh-p7gg"},{"vulnerability":"VCID-jghn-eujf-zbdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1"}],"aliases":["CVE-2024-6307"],"risk_score":2.2,"exploitability":"0.5","weighted_severity":"4.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m8mf-t2td-67h7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94971?format=json","vulnerability_id":"VCID-yqam-kpce-dfg7","summary":"WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44223","reference_id":"","reference_type":"","scores":[{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96388","published_at":"2026-04-01T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96395","published_at":"2026-04-02T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96399","published_at":"2026-04-04T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96402","published_at":"2026-04-07T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96411","published_at":"2026-04-08T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96414","published_at":"2026-04-09T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96419","published_at":"2026-04-11T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.9642","published_at":"2026-04-12T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96423","published_at":"2026-04-13T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.9643","published_at":"2026-04-16T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96434","published_at":"2026-04-18T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96435","published_at":"2026-04-21T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96436","published_at":"2026-04-24T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96437","published_at":"2026-04-26T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96439","published_at":"2026-04-29T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96446","published_at":"2026-05-05T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96448","published_at":"2026-05-07T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96455","published_at":"2026-05-09T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96458","published_at":"2026-05-11T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96463","published_at":"2026-05-12T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96473","published_at":"2026-05-14T12:55:00Z"},{"value":"0.27489","scoring_system":"epss","scoring_elements":"0.96475","published_at":"2026-05-15T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44223"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995233?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gyaq-8pvh-p7gg"},{"vulnerability":"VCID-jghn-eujf-zbdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1"}],"aliases":["CVE-2021-44223"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yqam-kpce-dfg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/96812?format=json","vulnerability_id":"VCID-zj9a-shru-e7gs","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58674","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07921","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07649","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07789","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07858","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07847","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07869","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07917","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07411","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07453","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07436","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07493","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07516","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07502","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.0749","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07412","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07399","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.07669","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08189","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08158","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00029","scoring_system":"epss","scoring_elements":"0.08122","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-58674"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58674","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58674"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117047","reference_id":"1117047","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117047"},{"reference_url":"https://wordpress.org/news/2025/09/wordpress-6-8-3-release/","reference_id":"wordpress-6-8-3-release","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-23T19:15:09Z/"}],"url":"https://wordpress.org/news/2025/09/wordpress-6-8-3-release/"},{"reference_url":"https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve","reference_id":"wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-23T19:15:09Z/"}],"url":"https://patchstack.com/database/wordpress/wordpress/wordpress/vulnerability/wordpress-wordpress-wordpress-6-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/995233?format=json","purl":"pkg:deb/debian/wordpress@6.1.9%2Bdfsg1-0%2Bdeb12u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gyaq-8pvh-p7gg"},{"vulnerability":"VCID-jghn-eujf-zbdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1"}],"aliases":["CVE-2025-58674"],"risk_score":2.0,"exploitability":"0.5","weighted_severity":"4.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zj9a-shru-e7gs"}],"risk_score":"3.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/wordpress@6.1.9%252Bdfsg1-0%252Bdeb12u1"}