Search for packages
| purl | pkg:deb/debian/wordpress@5.7.11%2Bdfsg1-0%2Bdeb11u1 |
| Next non-vulnerable version | 6.8.1+dfsg1-1 |
| Latest non-vulnerable version | 6.8.1+dfsg1-1 |
| Risk | 4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2bv7-vxb4-ybh8
Aliases: CVE-2023-5692 |
WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'. |
Affected by 0 other vulnerabilities. |
|
VCID-826u-hftn-63b7
Aliases: CVE-2012-6707 |
Affected by 0 other vulnerabilities. |
|
|
VCID-zhu9-kz2j-t7eg
Aliases: CVE-2021-44223 |
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-27gf-s9nc-9qgy | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) |
CVE-2021-39201
|
| VCID-2reu-mug8-7khp | Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. |
CVE-2022-43500
|
| VCID-32ks-kc8x-t3bc | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. |
CVE-2022-21661
|
| VCID-3jf9-qqss-cyax | WordPress before 5.2.3 allows reflected XSS in the dashboard. |
CVE-2019-16221
|
| VCID-3p37-fuvn-yyhx | WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header. |
CVE-2019-17673
|
| VCID-3xx6-as4s-hqah | multiple issues |
CVE-2021-29450
|
| VCID-4by6-snwe-kbay | In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. |
CVE-2020-25286
|
| VCID-527a-mxru-3bhw | In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4046
|
| VCID-5fw9-e6gr-fffj | Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38. |
CVE-2023-39999
|
| VCID-5krm-ab8u-87gj | WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
CVE-2019-16222
|
| VCID-6wzs-z1a3-5bgc | multiple issues |
CVE-2020-28039
|
| VCID-7q3m-juqy-dbc2 | security update |
CVE-2020-11026
|
| VCID-86xs-fn2g-ekgw | security update |
CVE-2020-11029
|
| VCID-8d3z-u8kz-qfd3 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4048
|
| VCID-a1vg-crra-zqd3 | multiple issues |
CVE-2020-28038
|
| VCID-aq2b-4paf-nuc7 | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
CVE-2022-21662
|
| VCID-c4f2-gf3z-rugf | In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
CVE-2019-20042
|
| VCID-cm7n-829q-4qh3 | multiple issues |
CVE-2020-28037
|
| VCID-cscg-s24f-tqhs | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4047
|
| VCID-ct56-8gxd-dbar | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
CVE-2022-21664
|
| VCID-d474-zmfc-9uct | multiple issues |
CVE-2020-28033
|
| VCID-e1yr-jstc-kfcf | In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. |
CVE-2019-17671
|
| VCID-f3f8-4dyr-u7f6 | WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. |
CVE-2019-17670
|
| VCID-f45x-hdvn-3ucp | security update |
CVE-2020-11028
|
| VCID-fe6b-yywu-9bgg | security update |
DSA-5279-2 wordpress
|
| VCID-gf7e-n6a8-2udc | WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. |
CVE-2023-2745
|
| VCID-hafb-f7ez-a3h8 | WordPress before 5.2.3 allows XSS in stored comments. |
CVE-2019-16218
|
| VCID-hk4z-ey84-sqa7 | WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. |
CVE-2019-17674
|
| VCID-j8um-3sac-fye7 | security update |
CVE-2020-11025
|
| VCID-jt8m-8ttj-h3bg | In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
CVE-2020-11030
|
| VCID-jxqy-whe1-x7ht | WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable. |
CVE-2024-31210
|
| VCID-k7y9-719w-tqh5 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4049
|
| VCID-ke32-qerd-c7dm | In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
CVE-2019-20043
|
| VCID-ks4j-38bf-8qd4 | multiple issues |
CVE-2020-28032
|
| VCID-kw8w-ryc6-cqd4 | Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7. |
CVE-2022-43504
|
| VCID-m81w-h68v-fbg4 | WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
CVE-2019-9787
|
| VCID-nps9-wuur-6kc4 | security update |
CVE-2020-11027
|
| VCID-nqky-8p8k-ryce | In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. |
CVE-2019-16220
|
| VCID-q6fq-uwx9-wugu | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4050
|
| VCID-qdvm-tmx1-9ka3 | WordPress before 5.2.3 allows XSS in shortcode previews. |
CVE-2019-16219
|
| VCID-qhwv-dwv5-7kbk | WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
CVE-2019-16223
|
| VCID-qpx8-h6j2-5yb5 | WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. |
CVE-2022-4973
|
| VCID-rh9a-aynp-c3fa | WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack |
CVE-2023-5561
|
| VCID-s4mq-81zp-2bgq | WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. |
CVE-2019-17675
|
| VCID-s7cb-xj6g-47fe | WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. |
CVE-2019-17669
|
| VCID-sr4f-8x4c-2yf3 | WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. |
CVE-2019-16780
|
| VCID-t1bt-j6fu-1fhw | WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. |
CVE-2019-17672
|
| VCID-tfm7-6acr-tffz | multiple issues |
CVE-2021-29447
|
| VCID-u9ff-xwfy-p7ek | multiple issues |
CVE-2020-28034
|
| VCID-uf87-vfb2-7ybc | multiple issues |
CVE-2020-28035
|
| VCID-uq4k-4tyv-eyhj | multiple issues |
CVE-2020-28040
|
| VCID-wafy-4qhc-guee | Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. |
CVE-2022-43497
|
| VCID-x9we-vp2y-9qdh | Insecure Deserialization of untrusted data in rmccue/requests ### Impact Unserialization of untrusted data. ### Patches The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. ### References Publications about the vulnerability: * https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress * https://github.com/ambionics/phpggc/issues/52 * https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/ * https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf * https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf * https://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf * https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#3c0f Originally fixed in WordPress 5.5.2: * https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3 * https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ Related Security Advisories: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032 * https://nvd.nist.gov/vuln/detail/CVE-2020-28032 Notification to the Requests repo including a fix in: * https://github.com/rmccue/Requests/pull/421 and * https://github.com/rmccue/Requests/pull/422 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Request](https://github.com/WordPress/Requests/) |
CVE-2021-29476
GHSA-52qp-jpq7-6c54 |
| VCID-xmct-x7bt-quhy | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
CVE-2022-21663
|
| VCID-xnrd-rj56-6fd4 | In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS. |
CVE-2019-16781
|
| VCID-xrw6-wv27-tkde | information disclosure |
CVE-2021-39200
|
| VCID-y57w-rjb7-hye3 | multiple issues |
CVE-2020-28036
|
| VCID-ypzf-m1km-1qgz | wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. |
CVE-2019-20041
|
| VCID-z8ek-exhy-qyb7 | WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
CVE-2019-16217
|