Search for packages
Package details: pkg:deb/debian/wordpress@6.1.6%2Bdfsg1-0%2Bdeb12u1
purl pkg:deb/debian/wordpress@6.1.6%2Bdfsg1-0%2Bdeb12u1
Next non-vulnerable version 6.8.1+dfsg1-1
Latest non-vulnerable version 6.8.1+dfsg1-1
Risk 10.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-2bv7-vxb4-ybh8
Aliases:
CVE-2023-5692
WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
6.8.1+dfsg1-1
Affected by 0 other vulnerabilities.
VCID-5ajy-ezh3-vkct
Aliases:
CVE-2024-6307
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
6.8.1+dfsg1-1
Affected by 0 other vulnerabilities.
VCID-826u-hftn-63b7
Aliases:
CVE-2012-6707
6.8.1+dfsg1-1
Affected by 0 other vulnerabilities.
VCID-qffj-kjmq-4uaj
Aliases:
CVE-2024-31111
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.
6.8.1+dfsg1-1
Affected by 0 other vulnerabilities.
VCID-u4na-zqaw-6kec
Aliases:
CVE-2024-4439
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
6.8.1+dfsg1-1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-zhu9-kz2j-t7eg WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory. CVE-2021-44223

Date Actor Action Vulnerability Source VulnerableCode Version
2025-08-01T13:08:28.325996+00:00 Debian Importer Affected by VCID-826u-hftn-63b7 https://security-tracker.debian.org/tracker/data/json 37.0.0
2025-08-01T12:56:21.249826+00:00 Debian Importer Affected by VCID-u4na-zqaw-6kec https://security-tracker.debian.org/tracker/data/json 37.0.0
2025-08-01T12:37:39.510196+00:00 Debian Importer Affected by VCID-5ajy-ezh3-vkct https://security-tracker.debian.org/tracker/data/json 37.0.0
2025-08-01T12:34:45.794413+00:00 Debian Importer Affected by VCID-qffj-kjmq-4uaj https://security-tracker.debian.org/tracker/data/json 37.0.0
2025-08-01T12:31:56.005313+00:00 Debian Importer Affected by VCID-2bv7-vxb4-ybh8 https://security-tracker.debian.org/tracker/data/json 37.0.0
2025-08-01T12:16:49.070951+00:00 Debian Importer Fixing VCID-zhu9-kz2j-t7eg https://security-tracker.debian.org/tracker/data/json 37.0.0