Search for packages
| purl | pkg:deb/debian/wordpress@2.0.10-1etch6 |
| Next non-vulnerable version | 6.8.1+dfsg1-1 |
| Latest non-vulnerable version | 6.8.1+dfsg1-1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12c2-g4gy-x7ab
Aliases: CVE-2016-7169 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-12tt-wa76-t3cx
Aliases: CVE-2017-14723 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-1ren-s7gn-n7ej
Aliases: CVE-2012-6112 GHSA-fx5h-3786-h2w6 |
PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outbound HTTP requests classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. |
Affected by 174 other vulnerabilities. |
|
VCID-1u9e-yfsd-bbd9
Aliases: CVE-2007-4153 |
Affected by 240 other vulnerabilities. |
|
|
VCID-1uy6-vc8f-tkb5
Aliases: CVE-2007-0540 |
Affected by 240 other vulnerabilities. |
|
|
VCID-1w2g-tur8-87g4
Aliases: CVE-2018-20150 |
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-1xph-ge12-kkfs
Aliases: CVE-2012-2402 |
Affected by 174 other vulnerabilities. |
|
|
VCID-1zq7-zzan-nkbs
Aliases: CVE-2012-3385 |
Affected by 174 other vulnerabilities. |
|
|
VCID-27gf-s9nc-9qgy
Aliases: CVE-2021-39201 |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-2e4f-hrfb-7fex
Aliases: CVE-2009-2853 |
Affected by 174 other vulnerabilities. |
|
|
VCID-2ehv-6m1p-xuhj
Aliases: CVE-2014-9036 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-2hf6-6tdq-3kft
Aliases: CVE-2007-4893 |
Affected by 240 other vulnerabilities. |
|
|
VCID-2mec-rmz2-b3cn
Aliases: CVE-2017-6818 |
multiple issues |
Affected by 88 other vulnerabilities. |
|
VCID-2n2r-syzm-tqdp
Aliases: CVE-2014-0166 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-2reu-mug8-7khp
Aliases: CVE-2022-43500 |
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. |
Affected by 3 other vulnerabilities. |
|
VCID-2x58-5hmb-kkbm
Aliases: CVE-2017-14721 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-2zky-r44t-xqae
Aliases: CVE-2017-9065 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-32ks-kc8x-t3bc
Aliases: CVE-2022-21661 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-32s4-bryc-ufhu
Aliases: DSA-3332-2 wordpress |
regression update |
Affected by 148 other vulnerabilities. |
|
VCID-34h8-w1n9-hfat
Aliases: CVE-2017-14726 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-37y3-ege1-5fhr
Aliases: CVE-2007-4483 |
Affected by 240 other vulnerabilities. |
|
|
VCID-3b3a-karq-6ka4
Aliases: CVE-2015-5734 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-3f2x-un7t-7kgq
Aliases: CVE-2016-5832 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-3jf9-qqss-cyax
Aliases: CVE-2019-16221 |
WordPress before 5.2.3 allows reflected XSS in the dashboard. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-3p37-fuvn-yyhx
Aliases: CVE-2019-17673 |
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-3sfz-vebz-3ydk
Aliases: CVE-2005-4600 |
Affected by 240 other vulnerabilities. |
|
|
VCID-3xx6-as4s-hqah
Aliases: CVE-2021-29450 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-41gx-s1cu-9ka5
Aliases: CVE-2016-5836 |
Affected by 88 other vulnerabilities. |
|
|
VCID-44xb-3kxh-rqhv
Aliases: CVE-2017-9062 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-455s-8m4a-4ycq
Aliases: CVE-2009-2334 |
wordpress: multiple vulnerabilities |
Affected by 174 other vulnerabilities. |
|
VCID-46uh-pmxy-pkec
Aliases: CVE-2016-5839 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-4by6-snwe-kbay
Aliases: CVE-2020-25286 |
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-527a-mxru-3bhw
Aliases: CVE-2020-4046 |
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 3 other vulnerabilities. |
|
VCID-59m6-yh62-hkcw
Aliases: CVE-2015-5732 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-5ans-sptw-x3bf
Aliases: CVE-2015-3429 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-5cp2-6kk7-87et
Aliases: CVE-2013-2199 |
several |
Affected by 174 other vulnerabilities. |
|
VCID-5ekt-9vj3-nuaq
Aliases: CVE-2011-3128 |
Affected by 174 other vulnerabilities. |
|
|
VCID-5fw9-e6gr-fffj
Aliases: CVE-2023-39999 |
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38. |
Affected by 3 other vulnerabilities. |
|
VCID-5hqg-sae8-dfd4
Aliases: CVE-2013-2203 |
several |
Affected by 174 other vulnerabilities. |
|
VCID-5k5v-7vb3-uqca
Aliases: CVE-2013-2204 |
several |
Affected by 174 other vulnerabilities. |
|
VCID-5krm-ab8u-87gj
Aliases: CVE-2019-16222 |
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-5pfu-gwnc-qfcc
Aliases: CVE-2016-4566 |
Affected by 88 other vulnerabilities. |
|
|
VCID-5pgy-wjg1-zkd7
Aliases: CVE-2013-0236 |
Affected by 174 other vulnerabilities. |
|
|
VCID-5u2z-e2s3-87bt
Aliases: CVE-2018-20148 |
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-5v57-tgkd-cqar
Aliases: CVE-2008-0196 |
Affected by 240 other vulnerabilities. |
|
|
VCID-5zdm-97hn-1uf4
Aliases: CVE-2010-4536 |
Affected by 174 other vulnerabilities. |
|
|
VCID-61rc-xqnk-ufee
Aliases: CVE-2011-4956 |
Affected by 174 other vulnerabilities. |
|
|
VCID-654n-frp4-j3hb
Aliases: CVE-2017-9064 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-66d7-qggh-t3d8
Aliases: CVE-2017-1000600 |
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
Affected by 59 other vulnerabilities. |
|
VCID-67he-h475-h3hz
Aliases: CVE-2008-0195 |
Affected by 240 other vulnerabilities. |
|
|
VCID-6a49-y6td-fuhh
Aliases: CVE-2015-5623 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-6ak7-dr3a-4kf9
Aliases: CVE-2017-6819 |
multiple issues |
Affected by 88 other vulnerabilities. |
|
VCID-6f8x-9bj3-buhd
Aliases: CVE-2017-5488 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-6nc7-y4x7-pbhr
Aliases: CVE-2007-1893 |
Affected by 240 other vulnerabilities. |
|
|
VCID-6tyt-xhs3-1bbg
Aliases: CVE-2007-3215 GHSA-6h78-85v2-mmch |
PHPMailer Shell command injection PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in `class.phpmailer.php`. ### Impact Shell command injection, remotely exploitable if host application does not filter user data appropriately. ### Patches Fixed in 1.7.4 ### Workarounds Filter and validate user-supplied data before putting in the into the `Sender` property. ### References https://nvd.nist.gov/vuln/detail/CVE-2007-3215 ### For more information If you have any questions or comments about this advisory: * Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer) |
Affected by 240 other vulnerabilities. |
|
VCID-6wzs-z1a3-5bgc
Aliases: CVE-2020-28039 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-7791-qr1b-j3cd
Aliases: CVE-2007-4894 |
Affected by 240 other vulnerabilities. |
|
|
VCID-78dd-tsy4-buen
Aliases: CVE-2016-6635 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-7c6w-6h4r-mfgb
Aliases: CVE-2007-3544 |
Affected by 240 other vulnerabilities. |
|
|
VCID-7q3m-juqy-dbc2
Aliases: CVE-2020-11026 |
security update |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-7vb4-bx59-gffa
Aliases: CVE-2015-3439 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-7yfw-q6n1-1udd
Aliases: CVE-2007-0541 |
Affected by 240 other vulnerabilities. |
|
|
VCID-7yr7-wdmq-nfch
Aliases: CVE-2017-17092 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-82ch-8kkj-skgj
Aliases: CVE-2016-5834 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-84wk-ph1h-13bt
Aliases: CVE-2018-10100 |
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-86xs-fn2g-ekgw
Aliases: CVE-2020-11029 |
security update |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-88z9-n5u1-mbfx
Aliases: CVE-2008-5695 |
Affected by 240 other vulnerabilities. |
|
|
VCID-8d3z-u8kz-qfd3
Aliases: CVE-2020-4048 |
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-8dyf-jkgt-2fgf
Aliases: CVE-2014-9032 |
Affected by 150 other vulnerabilities. |
|
|
VCID-8eb4-g8w5-eyg5
Aliases: CVE-2013-0235 |
Affected by 174 other vulnerabilities. |
|
|
VCID-8ehz-ehr4-ffcm
Aliases: CVE-2009-2851 |
WordPress: XSS via unescaped HTML URLs as author comments in the admin page |
Affected by 174 other vulnerabilities. |
|
VCID-8j6w-s38j-6fbd
Aliases: CVE-2018-20149 |
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-8n1k-ybrk-gke1
Aliases: CVE-2012-6633 |
Affected by 174 other vulnerabilities. |
|
|
VCID-8qq6-hyg6-ruep
Aliases: CVE-2015-5733 |
Affected by 88 other vulnerabilities. |
|
|
VCID-8vxa-4qq3-vbcv
Aliases: CVE-2011-4957 |
Affected by 174 other vulnerabilities. |
|
|
VCID-8z9w-f61k-yqgt
Aliases: CVE-2008-1502 GHSA-v759-3wr5-p294 |
Affected by 240 other vulnerabilities. |
|
|
VCID-93wn-sty1-z3au
Aliases: CVE-2016-5837 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-9512-ge1s-j7b7
Aliases: CVE-2014-5203 |
Affected by 150 other vulnerabilities. |
|
|
VCID-9cuh-smyv-c7hy
Aliases: CVE-2017-5487 |
multiple issues |
Affected by 88 other vulnerabilities. |
|
VCID-9e2r-8vk9-yffa
Aliases: CVE-2007-3639 |
Affected by 240 other vulnerabilities. |
|
|
VCID-9fxk-fbcr-j7dt
Aliases: CVE-2009-2854 |
Affected by 174 other vulnerabilities. |
|
|
VCID-9h3k-uafb-q7h1
Aliases: CVE-2007-6318 |
wordpress: SQL injection when certain DB charsets are used |
Affected by 240 other vulnerabilities. |
|
VCID-9m8t-t3xt-qbcx
Aliases: CVE-2013-2202 |
several |
Affected by 174 other vulnerabilities. |
|
VCID-9ty9-8whs-k3dz
Aliases: CVE-2018-20147 |
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-9v5c-vpyh-hqaj
Aliases: CVE-2014-2053 GHSA-5v43-55m5-qr8f |
getID3 is vulnerable to XML External Entity (XXE) getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-a1vg-crra-zqd3
Aliases: CVE-2020-28038 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-a3r5-yvx9-cyf4
Aliases: CVE-2017-5612 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-a4a2-k6tn-u3gm
Aliases: CVE-2017-5610 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-a5uc-k8cw-aydu
Aliases: CVE-2011-3129 |
Affected by 174 other vulnerabilities. |
|
|
VCID-a5uf-mmtg-d3f3
Aliases: CVE-2014-5204 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-a72p-4gv4-37cw
Aliases: CVE-2008-2146 |
Affected by 240 other vulnerabilities. |
|
|
VCID-a9tc-t4fq-bfgy
Aliases: CVE-2012-4448 |
Affected by 174 other vulnerabilities. |
|
|
VCID-aab3-6dsk-yqhv
Aliases: CVE-2018-10102 |
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-ahhh-455p-m7cc
Aliases: CVE-2010-5295 |
Affected by 174 other vulnerabilities. |
|
|
VCID-aq2b-4paf-nuc7
Aliases: CVE-2022-21662 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-aqsp-xrqb-s3ef
Aliases: CVE-2011-0700 |
Affected by 174 other vulnerabilities. |
|
|
VCID-auea-tezp-rybp
Aliases: CVE-2007-2627 |
Affected by 240 other vulnerabilities. |
|
|
VCID-aufe-xdsh-quah
Aliases: CVE-2016-5838 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-avnt-t4w1-3fhn
Aliases: CVE-2016-5833 |
Affected by 88 other vulnerabilities. |
|
|
VCID-aypk-7j17-mudk
Aliases: CVE-2014-9033 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-b1bf-ry9m-quek
Aliases: CVE-2016-7168 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-bas3-6dby-ufhp
Aliases: CVE-2014-9031 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-bms3-wc9f-efgj
Aliases: CVE-2012-0287 |
Affected by 174 other vulnerabilities. |
|
|
VCID-bqma-z617-cbcz
Aliases: CVE-2018-12895 |
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-br8b-mesh-skgj
Aliases: CVE-2018-20151 |
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-bumz-hzxr-aqg1
Aliases: CVE-2017-1001000 |
Affected by 88 other vulnerabilities. |
|
|
VCID-busz-j8zc-x7bf
Aliases: CVE-2017-8295 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-butj-dzhh-nygn
Aliases: CVE-2017-6816 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-bwgx-aesh-7yap
Aliases: CVE-2012-2400 |
Affected by 174 other vulnerabilities. |
|
|
VCID-byas-q6gv-mke2
Aliases: CVE-2017-14724 |
Affected by 59 other vulnerabilities. |
|
|
VCID-c4f2-gf3z-rugf
Aliases: CVE-2019-20042 |
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-cbdv-s6jp-3bhd
Aliases: CVE-2015-5731 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-cgpw-jvtr-juew
Aliases: CVE-2013-2173 |
several |
Affected by 174 other vulnerabilities. |
|
VCID-cm7n-829q-4qh3
Aliases: CVE-2020-28037 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-cq6z-xpt1-8khc
Aliases: CVE-2012-3383 |
Affected by 174 other vulnerabilities. |
|
|
VCID-cscg-s24f-tqhs
Aliases: CVE-2020-4047 |
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-cscz-a9k9-xbcg
Aliases: CVE-2013-4339 |
several |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-ct56-8gxd-dbar
Aliases: CVE-2022-21664 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-czbk-u4g1-17bu
Aliases: CVE-2018-20152 |
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-d474-zmfc-9uct
Aliases: CVE-2020-28033 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-d4nv-my69-sybq
Aliases: CVE-2015-5714 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-d6a6-q5kp-5ufr
Aliases: CVE-2010-5106 |
Affected by 174 other vulnerabilities. |
|
|
VCID-dcsn-xddy-g3d9
Aliases: CVE-2015-3438 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-dff4-yb6w-j7e2
Aliases: CVE-2017-6814 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-dmv9-knba-2fb7
Aliases: CVE-2018-10101 |
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
Affected by 59 other vulnerabilities. |
|
VCID-dn7t-h7yg-77g6
Aliases: CVE-2014-5240 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-dymf-rh2m-2bdp
Aliases: CVE-2008-0664 |
wordpress: XML-RPC interface vulnerability |
Affected by 240 other vulnerabilities. |
|
VCID-dzs5-wayg-fbds
Aliases: CVE-2009-3891 |
Affected by 174 other vulnerabilities. |
|
|
VCID-e13h-hbaf-xubt
Aliases: CVE-2007-0539 |
Affected by 240 other vulnerabilities. |
|
|
VCID-e1yr-jstc-kfcf
Aliases: CVE-2019-17671 |
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-ek88-ut4v-gyaw
Aliases: CVE-2017-5491 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-er21-4jka-suee
Aliases: CVE-2014-0165 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-ernp-hc35-vbdh
Aliases: CVE-2008-5113 |
wordpress delayed attack via cookies |
Affected by 240 other vulnerabilities. |
|
VCID-etdy-6u57-mkc3
Aliases: CVE-2011-3130 |
Affected by 174 other vulnerabilities. |
|
|
VCID-ewbz-n5kw-9kba
Aliases: CVE-2010-4257 |
Affected by 174 other vulnerabilities. |
|
|
VCID-ex8m-e3dw-9fdc
Aliases: CVE-2012-2401 |
Affected by 174 other vulnerabilities. |
|
|
VCID-exh2-qmjg-fugm
Aliases: CVE-2012-2399 |
Affected by 174 other vulnerabilities. |
|
|
VCID-eyqt-p9fs-jfah
Aliases: CVE-2007-1732 |
Affected by 240 other vulnerabilities. |
|
|
VCID-f1au-u22p-wuav
Aliases: CVE-2007-1230 |
Affected by 240 other vulnerabilities. |
|
|
VCID-f3f8-4dyr-u7f6
Aliases: CVE-2019-17670 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. |
Affected by 3 other vulnerabilities. |
|
VCID-f45x-hdvn-3ucp
Aliases: CVE-2020-11028 |
security update |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-fe6b-yywu-9bgg
Aliases: DSA-5279-2 wordpress |
security update |
Affected by 3 other vulnerabilities. |
|
VCID-fpjm-v5s2-z3d4
Aliases: CVE-2008-4796 |
Affected by 240 other vulnerabilities. |
|
|
VCID-fpk3-agzc-b3hk
Aliases: CVE-2012-3384 |
Affected by 174 other vulnerabilities. |
|
|
VCID-fvdp-q1jr-dqd6
Aliases: CVE-2007-2821 |
Affected by 240 other vulnerabilities. |
|
|
VCID-gf7e-n6a8-2udc
Aliases: CVE-2023-2745 |
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. |
Affected by 3 other vulnerabilities. |
|
VCID-gn93-j7ua-dyah
Aliases: CVE-2017-17094 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-gnky-7r2p-m7g2
Aliases: CVE-2017-9061 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-h4z2-rmh8-m3ef
Aliases: CVE-2017-14720 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-hafb-f7ez-a3h8
Aliases: CVE-2019-16218 |
WordPress before 5.2.3 allows XSS in stored comments. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-hegz-a1cj-nufx
Aliases: CVE-2008-2392 |
wordpress: Malicious File Execution Vulnerability |
Affected by 240 other vulnerabilities. |
|
VCID-hg4g-a35f-cfh8
Aliases: CVE-2007-1622 |
Affected by 240 other vulnerabilities. |
|
|
VCID-hk4z-ey84-sqa7
Aliases: CVE-2019-17674 |
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-hvtx-rwbk-kuff
Aliases: CVE-2016-4029 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-j5fe-xycn-9uh2
Aliases: CVE-2013-4340 |
several |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-j781-6yuc-jud4
Aliases: CVE-2013-2200 |
several |
Affected by 174 other vulnerabilities. |
|
VCID-j8um-3sac-fye7
Aliases: CVE-2020-11025 |
security update |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-jfjc-28aj-dbg8
Aliases: CVE-2015-5622 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-jm5z-k4wp-t7d7
Aliases: CVE-2010-2230 GHSA-3gm8-32vv-q8mp |
Moodle Cross-site Scripting vulnerability in the KSES text cleaning filter The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input. |
Affected by 174 other vulnerabilities. |
|
VCID-jnd9-6ya9-sqbk
Aliases: CVE-2010-5296 |
Affected by 174 other vulnerabilities. |
|
|
VCID-jpft-xr5y-5yay
Aliases: CVE-2012-4422 |
Affected by 174 other vulnerabilities. |
|
|
VCID-jsjz-frgr-qfh8
Aliases: CVE-2007-1049 |
Affected by 240 other vulnerabilities. |
|
|
VCID-jt8m-8ttj-h3bg
Aliases: CVE-2020-11030 |
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 3 other vulnerabilities. |
|
VCID-jxqy-whe1-x7ht
Aliases: CVE-2024-31210 |
WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable. |
Affected by 3 other vulnerabilities. |
|
VCID-k2j7-fd88-byax
Aliases: CVE-2017-5492 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-k7jw-wvfe-bkbm
Aliases: CVE-2010-0682 |
Affected by 174 other vulnerabilities. |
|
|
VCID-k7y9-719w-tqh5
Aliases: CVE-2020-4049 |
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-kaf8-a48c-43gj
Aliases: CVE-2015-7989 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-kbd2-8ds1-4ybc
Aliases: CVE-2013-0237 |
Affected by 174 other vulnerabilities. |
|
|
VCID-ke32-qerd-c7dm
Aliases: CVE-2019-20043 |
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-krmf-caxh-mbhg
Aliases: CVE-2009-2432 |
wordpress: multiple vulnerabilities |
Affected by 174 other vulnerabilities. |
|
VCID-krxu-u4jm-hqcb
Aliases: CVE-2016-6896 |
Affected by 88 other vulnerabilities. |
|
|
VCID-ks4j-38bf-8qd4
Aliases: CVE-2020-28032 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-kw8w-ryc6-cqd4
Aliases: CVE-2022-43504 |
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7. |
Affected by 3 other vulnerabilities. |
|
VCID-kx4u-rxap-p3c9
Aliases: CVE-2008-4769 |
Affected by 240 other vulnerabilities. |
|
|
VCID-m81w-h68v-fbg4
Aliases: CVE-2019-9787 |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
Affected by 3 other vulnerabilities. |
|
VCID-mbda-vujt-wffq
Aliases: CVE-2008-0193 |
Affected by 240 other vulnerabilities. |
|
|
VCID-meuc-hvy2-byhw
Aliases: CVE-2007-1897 |
Affected by 240 other vulnerabilities. |
|
|
VCID-mwe7-23m2-jygp
Aliases: CVE-2016-2222 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-nbxe-c2t2-nyhq
Aliases: CVE-2011-0701 |
Affected by 174 other vulnerabilities. |
|
|
VCID-nmmt-rrba-zufd
Aliases: CVE-2014-9035 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-nps9-wuur-6kc4
Aliases: CVE-2020-11027 |
security update |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-nqky-8p8k-ryce
Aliases: CVE-2019-16220 |
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-nsee-fvjj-gkhz
Aliases: CVE-2016-6634 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-nsx3-c12v-zbgv
Aliases: CVE-2017-5489 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-pcvr-cca9-vugj
Aliases: CVE-2007-3543 |
Affected by 240 other vulnerabilities. |
|
|
VCID-pmqn-yjye-wfas
Aliases: CVE-2014-9034 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-pw8r-zzsq-4qdu
Aliases: CVE-2011-3122 |
Affected by 174 other vulnerabilities. |
|
|
VCID-q4m4-cz3y-nqc3
Aliases: CVE-2017-14722 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-q4xy-rtns-2yde
Aliases: CVE-2014-5266 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-q6fq-uwx9-wugu
Aliases: CVE-2020-4050 |
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-q8ka-j2x8-x3gv
Aliases: CVE-2008-6762 |
Affected by 174 other vulnerabilities. |
|
|
VCID-qd2n-zyfw-47b7
Aliases: CVE-2016-10148 |
Affected by 88 other vulnerabilities. |
|
|
VCID-qd4a-p7gu-8ygt
Aliases: CVE-2009-2431 |
wordpress: multiple vulnerabilities |
Affected by 174 other vulnerabilities. |
|
VCID-qdvm-tmx1-9ka3
Aliases: CVE-2019-16219 |
WordPress before 5.2.3 allows XSS in shortcode previews. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-qhwv-dwv5-7kbk
Aliases: CVE-2019-16223 |
WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-qm4e-vcxs-9yeb
Aliases: CVE-2011-3127 |
Affected by 174 other vulnerabilities. |
|
|
VCID-qpn2-mgup-pubp
Aliases: CVE-2015-3440 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-qpvs-xwhs-7uhb
Aliases: CVE-2016-5835 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-qpx8-h6j2-5yb5
Aliases: CVE-2022-4973 |
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. |
Affected by 3 other vulnerabilities. |
|
VCID-qqa7-tjfu-q3hd
Aliases: CVE-2011-3126 |
Affected by 174 other vulnerabilities. |
|
|
VCID-ra5u-n2jx-dugx
Aliases: CVE-2017-14725 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-rh9a-aynp-c3fa
Aliases: CVE-2023-5561 |
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack |
Affected by 3 other vulnerabilities. |
|
VCID-rj1v-nqrf-wfct
Aliases: CVE-2016-9263 |
Affected by 150 other vulnerabilities. |
|
|
VCID-rsgs-7ta5-m7dn
Aliases: CVE-2008-7220 |
FrameWork: XSS Ajax requests (AST-2009-009) |
Affected by 240 other vulnerabilities. |
|
VCID-rtrx-nq73-wffv
Aliases: CVE-2018-20153 |
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-ru8c-3cs3-5uez
Aliases: CVE-2017-17091 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-rvaq-jxwx-8udr
Aliases: CVE-2017-14990 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-rxhc-a9e4-sbe4
Aliases: CVE-2017-5493 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-s2dq-k6ay-fqfm
Aliases: CVE-2007-2714 |
Affected by 240 other vulnerabilities. |
|
|
VCID-s47e-39mg-9fey
Aliases: CVE-2008-4106 |
wordpress: sql column truncation flaw |
Affected by 240 other vulnerabilities. |
|
VCID-s4kn-hbk3-33an
Aliases: CVE-2008-6767 |
Affected by 174 other vulnerabilities. |
|
|
VCID-s4mq-81zp-2bgq
Aliases: CVE-2019-17675 |
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-s6t8-saak-3bbg
Aliases: CVE-2016-1564 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-s713-yc5t-u3a8
Aliases: CVE-2017-14718 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-s7cb-xj6g-47fe
Aliases: CVE-2019-17669 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-sbe1-m4h7-zkeh
Aliases: CVE-2014-5265 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-se7b-jqm1-b7fj
Aliases: CVE-2017-9066 |
Affected by 88 other vulnerabilities. |
|
|
VCID-sm6y-xrpu-2ugq
Aliases: CVE-2017-5611 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-sqgj-kj2m-5qb8
Aliases: CVE-2017-17093 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-sr4f-8x4c-2yf3
Aliases: CVE-2019-16780 |
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-styu-n3vp-ebdx
Aliases: CVE-2012-2403 |
Affected by 174 other vulnerabilities. |
|
|
VCID-t1bt-j6fu-1fhw
Aliases: CVE-2019-17672 |
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-t358-y4s3-83ea
Aliases: CVE-2009-2762 |
Affected by 174 other vulnerabilities. |
|
|
VCID-t6x1-e89r-tygw
Aliases: CVE-2011-5270 |
Affected by 174 other vulnerabilities. |
|
|
VCID-t8rt-5ez5-zfar
Aliases: CVE-2015-5715 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-ta88-5875-17e8
Aliases: CVE-2011-3125 |
Affected by 174 other vulnerabilities. |
|
|
VCID-tbuc-p3nr-wycn
Aliases: CVE-2012-6634 |
Affected by 174 other vulnerabilities. |
|
|
VCID-tdgn-bngb-1uhg
Aliases: CVE-2007-0233 |
Affected by 240 other vulnerabilities. |
|
|
VCID-tfm7-6acr-tffz
Aliases: CVE-2021-29447 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-th9w-6ryc-k3ds
Aliases: CVE-2007-5710 |
Affected by 240 other vulnerabilities. |
|
|
VCID-tms4-umv6-xuan
Aliases: CVE-2017-5490 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-ts2a-sq4s-6bec
Aliases: CVE-2008-3747 |
wordpress: insufficient SSL communication enforcement |
Affected by 240 other vulnerabilities. |
|
VCID-tsgh-sxvx-9uc2
Aliases: CVE-2013-4338 |
several |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-tsut-3bu1-zqeb
Aliases: CVE-2009-2336 |
wordpress: multiple vulnerabilities |
Affected by 174 other vulnerabilities. |
|
VCID-tym4-nuhv-xqhg
Aliases: CVE-2012-3414 |
Affected by 174 other vulnerabilities. |
|
|
VCID-tzzw-ct22-tbas
Aliases: CVE-2008-2068 |
wordpress: security fixes in upstream version 2.5.1 (CVE-2008-1930, CVE-2008-2068) |
Affected by 240 other vulnerabilities. |
|
VCID-u9ff-xwfy-p7ek
Aliases: CVE-2020-28034 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-ub26-c191-ffd7
Aliases: CVE-2007-4154 |
Affected by 240 other vulnerabilities. |
|
|
VCID-ucq6-rnak-qudw
Aliases: CVE-2008-1930 |
Affected by 240 other vulnerabilities. |
|
|
VCID-ueq9-kuqp-kbgv
Aliases: CVE-2012-2404 |
Affected by 174 other vulnerabilities. |
|
|
VCID-uf87-vfb2-7ybc
Aliases: CVE-2020-28035 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-ukd2-4fhh-47hq
Aliases: CVE-2011-1762 |
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission. |
Affected by 174 other vulnerabilities. |
|
VCID-uq4k-4tyv-eyhj
Aliases: CVE-2020-28040 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-v7wt-k3sh-9ufa
Aliases: CVE-2014-5205 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-vaef-vw1h-muev
Aliases: CVE-2015-2213 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-vd4h-pkqz-7kb6
Aliases: CVE-2009-3622 |
WordPress: Resource exhaustion (DoS) |
Affected by 174 other vulnerabilities. |
|
VCID-veyq-tsgs-ufb1
Aliases: CVE-2017-6815 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-vnfn-3es8-eyhv
Aliases: DSA-3681-2 wordpress |
regression update |
Affected by 148 other vulnerabilities. |
|
VCID-vngq-cf5e-yyct
Aliases: CVE-2017-6817 |
multiple issues |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-vnuu-7v11-7yh5
Aliases: CVE-2017-9063 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-vpqu-x39r-dbdk
Aliases: CVE-2009-3890 |
Affected by 174 other vulnerabilities. |
|
|
VCID-vwgy-c4sv-e7aq
Aliases: CVE-2017-14719 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-w3yr-vg18-5khk
Aliases: CVE-2014-9039 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-w4xp-2htc-mqck
Aliases: CVE-2013-5739 |
several |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-w4xr-b52f-73ea
Aliases: CVE-2012-6635 |
Affected by 174 other vulnerabilities. |
|
|
VCID-w71d-ama7-qubw
Aliases: CVE-2007-3238 |
Affected by 240 other vulnerabilities. |
|
|
VCID-w762-7spr-77cb
Aliases: CVE-2013-2201 |
several |
Affected by 174 other vulnerabilities. |
|
VCID-wa8k-ewab-6qag
Aliases: CVE-2013-5738 |
several |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-wafy-4qhc-guee
Aliases: CVE-2022-43497 |
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. |
Affected by 3 other vulnerabilities. |
|
VCID-wfss-p57c-3fa8
Aliases: CVE-2007-1599 |
Affected by 240 other vulnerabilities. |
|
|
VCID-wh7d-sncc-n3c4
Aliases: CVE-2019-8942 |
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. |
Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-wr7z-w4ur-byev
Aliases: CVE-2007-1894 |
Affected by 240 other vulnerabilities. |
|
|
VCID-wx2g-5edr-jubd
Aliases: CVE-2018-5776 |
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
Affected by 59 other vulnerabilities. |
|
VCID-x9ev-1f87-bue7
Aliases: CVE-2016-6897 |
Affected by 88 other vulnerabilities. |
|
|
VCID-x9pm-36c2-7kd9
Aliases: CVE-2010-5293 |
Affected by 174 other vulnerabilities. |
|
|
VCID-x9we-vp2y-9qdh
Aliases: CVE-2021-29476 GHSA-52qp-jpq7-6c54 |
Insecure Deserialization of untrusted data in rmccue/requests ### Impact Unserialization of untrusted data. ### Patches The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. ### References Publications about the vulnerability: * https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress * https://github.com/ambionics/phpggc/issues/52 * https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/ * https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf * https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf * https://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf * https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#3c0f Originally fixed in WordPress 5.5.2: * https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3 * https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ Related Security Advisories: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032 * https://nvd.nist.gov/vuln/detail/CVE-2020-28032 Notification to the Requests repo including a fix in: * https://github.com/rmccue/Requests/pull/421 and * https://github.com/rmccue/Requests/pull/422 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Request](https://github.com/WordPress/Requests/) |
Affected by 3 other vulnerabilities. |
|
VCID-xajj-1ppd-sqcz
Aliases: CVE-2007-1244 |
Affected by 240 other vulnerabilities. |
|
|
VCID-xf3n-mgfy-bycc
Aliases: CVE-2014-9037 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-xmct-x7bt-quhy
Aliases: CVE-2022-21663 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-xnrd-rj56-6fd4
Aliases: CVE-2019-16781 |
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-xrw6-wv27-tkde
Aliases: CVE-2021-39200 |
information disclosure |
Affected by 3 other vulnerabilities. |
|
VCID-xu9k-t2wj-q7hu
Aliases: CVE-2012-4421 |
Affected by 174 other vulnerabilities. |
|
|
VCID-y419-n42m-rfc3
Aliases: CVE-2007-3140 |
Affected by 240 other vulnerabilities. |
|
|
VCID-y57w-rjb7-hye3
Aliases: CVE-2020-28036 |
multiple issues |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-yeqr-2tdg-ykee
Aliases: CVE-2008-5278 |
wordpress-mu: XSS vulnerability in RSS Feed Generator |
Affected by 240 other vulnerabilities. |
|
VCID-ygc6-vcwe-4yfn
Aliases: CVE-2007-6013 |
wordpress cookie authentication vulnerability |
Affected by 240 other vulnerabilities. |
|
VCID-ypzf-m1km-1qgz
Aliases: CVE-2019-20041 |
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-yqj5-6vfz-hkhf
Aliases: CVE-2016-2221 |
security update |
Affected by 174 other vulnerabilities. Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-yu7h-demq-6ug6
Aliases: CVE-2010-5294 |
Affected by 174 other vulnerabilities. |
|
|
VCID-yz1u-yb2e-cffp
Aliases: CVE-2014-9038 |
security update |
Affected by 174 other vulnerabilities. Affected by 150 other vulnerabilities. |
|
VCID-z8ek-exhy-qyb7
Aliases: CVE-2019-16217 |
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
Affected by 59 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-zanm-zu7v-c3c8
Aliases: CVE-2009-2335 |
wordpress: multiple vulnerabilities |
Affected by 174 other vulnerabilities. |
|
VCID-zb39-vsg2-37he
Aliases: CVE-2015-8834 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-zg4y-zsgw-3kew
Aliases: CVE-2008-0194 |
Affected by 240 other vulnerabilities. |
|
|
VCID-zgnv-gzjb-hqde
Aliases: CVE-2017-16510 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-zwdy-wx43-g7ed
Aliases: CVE-2013-2205 |
several |
Affected by 174 other vulnerabilities. |
|
VCID-zxf1-m5w3-2uhx
Aliases: CVE-2015-5730 |
security update |
Affected by 148 other vulnerabilities. Affected by 88 other vulnerabilities. |
|
VCID-zxyw-enyb-gyfq
Aliases: CVE-2010-5297 |
Affected by 174 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-nqt5-4w5a-v7a1 |
CVE-2008-0192
|