Search for packages
| purl | pkg:deb/debian/wordpress@3.6.1%2Bdfsg-1~deb6u4 |
| Next non-vulnerable version | 6.8.3+dfsg1-0+deb13u1 |
| Latest non-vulnerable version | 6.8.3+dfsg1-0+deb13u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12nz-jt4k-afdm
Aliases: CVE-2016-4029 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-198e-9yps-nqfz
Aliases: CVE-2017-5491 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-1axp-38yu-wua1
Aliases: CVE-2017-5489 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-1by8-54pr-ubcw
Aliases: CVE-2020-4046 |
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 7 other vulnerabilities. |
|
VCID-1j31-f88g-kfe7
Aliases: CVE-2021-29450 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-1tw6-axgs-f3hy
Aliases: CVE-2020-11027 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-1z8j-st48-qkgn
Aliases: CVE-2017-14718 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-251h-7yfd-sbdy
Aliases: CVE-2016-5835 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-2gqt-ngbw-xyby
Aliases: CVE-2022-21664 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-2hh2-akug-byew
Aliases: CVE-2014-9039 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-2jgs-b7r7-zygv
Aliases: CVE-2020-11030 |
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 7 other vulnerabilities. |
|
VCID-2rqp-572a-ufcr
Aliases: CVE-2015-3440 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-3171-8hu9-4uev
Aliases: CVE-2019-17675 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-32qc-zmsg-gfa4
Aliases: CVE-2015-5730 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-3572-tc84-pyhv
Aliases: CVE-2023-2745 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-3f5q-3k4x-aue9
Aliases: CVE-2017-1001000 |
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. |
Affected by 92 other vulnerabilities. |
|
VCID-3veg-k8v2-tyhr
Aliases: CVE-2019-17671 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-46dk-a282-8bf9
Aliases: CVE-2017-5612 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-47fm-x1rg-vbct
Aliases: CVE-2024-31210 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-47he-853j-8qdn
Aliases: CVE-2021-39200 |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. |
Affected by 7 other vulnerabilities. |
|
VCID-4g2n-5v12-yuff
Aliases: CVE-2024-31111 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9. |
Affected by 2 other vulnerabilities. |
|
VCID-4p1q-h56b-1qhj
Aliases: CVE-2015-3438 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-4ty5-fp9a-8qhg
Aliases: CVE-2019-16781 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-532z-9qbb-dyfw
Aliases: CVE-2025-58246 |
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. |
Affected by 2 other vulnerabilities. |
|
VCID-5698-c229-bqc9
Aliases: CVE-2019-17670 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. |
Affected by 7 other vulnerabilities. |
|
VCID-6cda-2819-puhp
Aliases: CVE-2016-7168 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-6ejh-nyh8-gqar
Aliases: CVE-2018-10100 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-6j54-w242-hfce
Aliases: CVE-2022-43504 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-6mkb-a89m-zfgs
Aliases: CVE-2013-4339 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-722f-e2hf-xyc9
Aliases: CVE-2023-5561 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-767p-btpd-tudb
Aliases: CVE-2019-17669 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-7hgx-yyw8-23cj
Aliases: CVE-2016-5836 |
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
Affected by 92 other vulnerabilities. |
|
VCID-7twj-axjh-rudj
Aliases: CVE-2017-17094 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-8kvg-dxb5-7uhx
Aliases: CVE-2015-3439 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-8mat-2mjd-7fgm
Aliases: CVE-2019-9787 |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
Affected by 7 other vulnerabilities. |
|
VCID-8ms9-r5pz-fkc3
Aliases: CVE-2014-5265 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-8rfd-k93s-qycc
Aliases: CVE-2017-14724 |
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
Affected by 63 other vulnerabilities. |
|
VCID-9166-twpv-u3a9
Aliases: CVE-2018-20150 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-92fa-nrxb-e3gj
Aliases: CVE-2020-28032 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-95zd-g97m-ekh3
Aliases: CVE-2014-2053 GHSA-5v43-55m5-qr8f |
getID3 is vulnerable to XML External Entity (XXE) getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-98e3-ffna-jfbs
Aliases: CVE-2019-17674 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-aesj-sy6k-57de
Aliases: CVE-2016-5833 |
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. |
Affected by 92 other vulnerabilities. |
|
VCID-agpu-husf-6be4
Aliases: CVE-2019-16217 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ajrt-bhrw-k7an
Aliases: CVE-2019-16220 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-aup2-49ee-jkdf
Aliases: CVE-2019-16222 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-azsx-2ydf-zyag
Aliases: CVE-2020-4050 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-azyj-28v6-ufhg
Aliases: CVE-2021-39201 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-b8ex-3tnw-yuh8
Aliases: CVE-2018-10102 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-bb3n-jh6p-vfhm
Aliases: CVE-2022-21661 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-buuf-pyc5-ybcg
Aliases: CVE-2014-5203 |
wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data. |
Affected by 154 other vulnerabilities. |
|
VCID-c2ta-7w7f-kbed
Aliases: CVE-2019-16218 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-c62s-z1vc-nubq
Aliases: CVE-2017-14720 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-c9m4-z6x3-8ubj
Aliases: CVE-2015-8834 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-cce4-nh1p-f3gn
Aliases: CVE-2019-8942 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-cdj6-mgne-bkcs
Aliases: CVE-2016-6634 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-cg91-ww8b-jfep
Aliases: CVE-2013-5738 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-cuw7-7fmc-xbc1
Aliases: CVE-2017-5488 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-cwud-1n3k-rfcs
Aliases: CVE-2017-17092 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-d6e4-71uw-xyeb
Aliases: CVE-2016-10148 |
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. |
Affected by 92 other vulnerabilities. |
|
VCID-dkht-9n6n-fucn
Aliases: CVE-2017-14725 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-dw8d-4vse-jqbe
Aliases: CVE-2015-5734 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-dzgs-vwe3-fub1
Aliases: CVE-2019-20042 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-e1ss-azne-d7ha
Aliases: CVE-2017-6819 |
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. |
Affected by 92 other vulnerabilities. |
|
VCID-e37d-h1k6-sud6
Aliases: CVE-2017-14721 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-e8zy-mzdn-g7gz
Aliases: DSA-5279-2 wordpress |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-ejtq-a5ca-ffbu
Aliases: CVE-2019-16221 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-f8cq-auvz-7be1
Aliases: CVE-2016-5837 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-fcqu-11yk-h3af
Aliases: CVE-2018-20149 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-fd51-1hat-v3ee
Aliases: CVE-2017-17091 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-fkqw-vkvb-gydh
Aliases: CVE-2016-5832 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-fpwa-74w6-mugt
Aliases: CVE-2019-16780 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fra3-hye6-kqh7
Aliases: CVE-2021-29476 GHSA-52qp-jpq7-6c54 |
Insecure Deserialization of untrusted data in rmccue/requests ### Impact Unserialization of untrusted data. ### Patches The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. ### References Publications about the vulnerability: * https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress * https://github.com/ambionics/phpggc/issues/52 * https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/ * https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf * https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf * https://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf * https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#3c0f Originally fixed in WordPress 5.5.2: * https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3 * https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ Related Security Advisories: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032 * https://nvd.nist.gov/vuln/detail/CVE-2020-28032 Notification to the Requests repo including a fix in: * https://github.com/rmccue/Requests/pull/421 and * https://github.com/rmccue/Requests/pull/422 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Request](https://github.com/WordPress/Requests/) |
Affected by 7 other vulnerabilities. |
|
VCID-fuma-nkmd-zkc1
Aliases: CVE-2019-17673 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fykj-9gba-rqgn
Aliases: CVE-2014-9036 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-gakg-ky9v-ayej
Aliases: CVE-2016-6635 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ggs8-1k6e-ebc8
Aliases: CVE-2015-7989 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ghn9-muv6-17d7
Aliases: CVE-2017-14723 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-gwks-aqn7-mud4
Aliases: CVE-2017-9065 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-gy54-apzn-7kef
Aliases: CVE-2020-28036 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-h1fb-65br-93fb
Aliases: CVE-2016-5838 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-h5up-s13c-2ygg
Aliases: CVE-2022-43497 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-h97y-a92u-2fay
Aliases: CVE-2020-28040 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-hkp2-z1em-x3gu
Aliases: CVE-2017-16510 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-hndb-7b4f-7bbw
Aliases: CVE-2019-16223 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-hq5p-xuuk-33f7
Aliases: CVE-2016-9263 |
WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. |
Affected by 154 other vulnerabilities. |
|
VCID-hrr1-ygkz-4bhd
Aliases: CVE-2013-4340 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-htec-cnsd-4ke4
Aliases: CVE-2022-21663 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-htr5-ugyh-7yaz
Aliases: CVE-2021-29447 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-j45z-kwz2-b7hn
Aliases: CVE-2014-9031 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-jf98-kean-p3b3
Aliases: CVE-2017-6818 |
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. |
Affected by 92 other vulnerabilities. |
|
VCID-jjjw-sspg-q3c3
Aliases: CVE-2019-20041 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-jmx6-p5md-dycf
Aliases: CVE-2014-5266 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-jntp-tjnu-ekbk
Aliases: CVE-2016-2222 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-jr4w-6wqz-cbe3
Aliases: CVE-2014-0166 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-k52x-fa57-hkfk
Aliases: CVE-2019-16219 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-k6a1-ag3k-y7d1
Aliases: CVE-2017-9066 |
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
Affected by 92 other vulnerabilities. |
|
VCID-kk83-bnn5-tuar
Aliases: CVE-2020-4048 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-kkqs-rbpz-wqhf
Aliases: CVE-2015-5733 |
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. |
Affected by 92 other vulnerabilities. |
|
VCID-kn9s-5v5u-d3fj
Aliases: CVE-2019-20043 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-kpem-j9we-vufs
Aliases: CVE-2017-5492 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ksx9-t81e-pkb3
Aliases: CVE-2014-9038 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-kybz-d1hv-g3ae
Aliases: CVE-2013-4338 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-kyzb-5kb1-j7cf
Aliases: CVE-2016-1564 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-m8mf-t2td-67h7
Aliases: CVE-2024-6307 |
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Affected by 2 other vulnerabilities. |
|
VCID-mfvf-n63j-cfaf
Aliases: CVE-2014-9034 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-msku-2thw-jfat
Aliases: CVE-2013-5739 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-mu7j-73tw-xbc6
Aliases: CVE-2015-2213 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-n7ne-unru-7fhn
Aliases: CVE-2020-28035 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ng4k-69hk-9ueu
Aliases: CVE-2017-14990 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-ngkc-cwzj-nbdk
Aliases: CVE-2020-28033 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-nj6g-ewk1-r7f1
Aliases: CVE-2016-4566 |
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. |
Affected by 92 other vulnerabilities. |
|
VCID-ns2b-cr6m-t7gq
Aliases: CVE-2015-5732 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ny68-2wje-q3df
Aliases: CVE-2018-20153 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-p1c8-hj6e-mkg4
Aliases: CVE-2014-5204 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-pb81-1zfe-hqfb
Aliases: CVE-2016-5834 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-pd4w-3ttq-9yfs
Aliases: CVE-2014-9035 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-pkjb-8649-fqd2
Aliases: CVE-2020-28034 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-psca-f78j-hbc2
Aliases: CVE-2020-28039 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-pyzc-scrd-bufa
Aliases: CVE-2020-11025 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-pz3b-294m-nqfn
Aliases: CVE-2018-10101 |
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
Affected by 63 other vulnerabilities. |
|
VCID-q146-rfqv-1ych
Aliases: CVE-2017-14719 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-q84d-utmc-g3fn
Aliases: CVE-2020-25286 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-q9xz-t5cc-2uf7
Aliases: CVE-2015-5715 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-qpsj-hsmm-6qa8
Aliases: CVE-2017-6816 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-qu9h-p3s6-8bd2
Aliases: CVE-2017-17093 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-r4qy-1wa6-t7gh
Aliases: CVE-2019-17672 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-r5u7-bft7-6bd3
Aliases: CVE-2017-8295 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-rcvm-b2u5-43dc
Aliases: CVE-2016-6897 |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. |
Affected by 92 other vulnerabilities. |
|
VCID-re92-3yew-1bft
Aliases: CVE-2014-9037 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-ruuu-vphs-5qap
Aliases: CVE-2014-5240 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-rz89-bchd-zqge
Aliases: CVE-2014-9033 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-sany-su2d-73cn
Aliases: CVE-2017-5487 |
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. |
Affected by 92 other vulnerabilities. |
|
VCID-sh9a-167m-57cw
Aliases: CVE-2015-5622 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-srjh-2qnk-e7c6
Aliases: CVE-2017-6817 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-sszr-mn9y-kkhg
Aliases: CVE-2022-4973 |
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. |
Affected by 7 other vulnerabilities. |
|
VCID-swnk-8ave-bff2
Aliases: CVE-2018-20148 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-t4fg-hrp7-c7h9
Aliases: CVE-2018-5776 |
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
Affected by 63 other vulnerabilities. |
|
VCID-t864-vrfz-rbgb
Aliases: DSA-3681-2 wordpress |
regression update |
Affected by 152 other vulnerabilities. |
|
VCID-tc97-uxfe-rqdc
Aliases: CVE-2014-5205 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-tcbf-ura1-mbfv
Aliases: CVE-2014-9032 |
Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 154 other vulnerabilities. |
|
VCID-tf2e-bgq5-9ff5
Aliases: CVE-2017-5611 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-tf2u-dse2-mufb
Aliases: CVE-2017-6814 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-tffx-7mmd-gkcf
Aliases: CVE-2020-28038 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-tgfm-2c63-d7dk
Aliases: CVE-2020-4049 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-trn4-a55k-sqad
Aliases: CVE-2017-5490 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ttaw-fpb8-27hp
Aliases: CVE-2016-2221 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-u1fw-ahar-8uc1
Aliases: CVE-2020-4047 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-u4ef-4sne-tbeg
Aliases: CVE-2018-20147 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-ujms-xfg5-77e8
Aliases: CVE-2016-6896 |
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. |
Affected by 92 other vulnerabilities. |
|
VCID-v2xf-n28d-kfcx
Aliases: CVE-2018-12895 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-v5s7-vwe3-5bak
Aliases: CVE-2020-11029 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-v7ph-mtd1-y3e1
Aliases: CVE-2022-43500 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-vg54-wjcw-fuh4
Aliases: CVE-2017-5610 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-vj6y-1qup-jubg
Aliases: CVE-2017-5493 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-vywc-p4tw-8yd2
Aliases: CVE-2017-6815 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-w7r4-c8yh-hkbc
Aliases: CVE-2017-9061 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-w8w1-e5zu-ffgx
Aliases: CVE-2020-11026 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-wenb-bpws-mkar
Aliases: CVE-2020-11028 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-x5g3-2yvt-xkfm
Aliases: CVE-2017-9062 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-x733-wwnx-c7fv
Aliases: CVE-2017-1000600 |
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
Affected by 63 other vulnerabilities. |
|
VCID-x7aj-4qxd-rkcu
Aliases: CVE-2017-14726 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-x89y-av45-ufgh
Aliases: CVE-2014-0165 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-xd4w-ak3v-dybq
Aliases: CVE-2018-20151 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-xfxs-pjex-3bh3
Aliases: CVE-2023-39999 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-xg1e-yjwb-r3h4
Aliases: CVE-2015-5714 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-xwgs-bt6t-qfbh
Aliases: CVE-2015-5623 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-xzu6-fn31-43ej
Aliases: CVE-2022-21662 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-yees-gysw-d3cx
Aliases: CVE-2016-5839 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-z4g5-m3kv-93e3
Aliases: CVE-2017-9063 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-z8gv-sec9-xbam
Aliases: CVE-2017-14722 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-zdhg-b334-ryat
Aliases: DSA-3332-2 wordpress |
regression update |
Affected by 152 other vulnerabilities. |
|
VCID-zebg-ku4f-dbgk
Aliases: CVE-2015-3429 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-zhsu-sye9-mkaz
Aliases: CVE-2017-9064 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-zj9a-shru-e7gs
Aliases: CVE-2025-58674 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. |
Affected by 2 other vulnerabilities. |
|
VCID-zmhc-4gku-13ga
Aliases: CVE-2020-28037 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-znb5-qcr5-pqaf
Aliases: CVE-2018-20152 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-zyqs-75ad-8kcd
Aliases: CVE-2016-7169 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-zzcw-snrs-kygh
Aliases: CVE-2015-5731 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-14w4-eqhq-zuhu | A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission. |
CVE-2011-1762
|
| VCID-1hu7-2yjp-m7b8 | Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening." |
CVE-2011-3125
|
| VCID-27hh-rxke-cfan | wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. |
CVE-2012-2402
|
| VCID-2b99-baqh-3ker | Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
CVE-2012-3384
|
| VCID-2h1g-qy4e-rkhb | Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security." |
CVE-2011-3122
|
| VCID-2s1y-35gq-vyh5 | several |
CVE-2013-2200
|
| VCID-4cs6-n1vc-13cd | wordpress: multiple vulnerabilities |
CVE-2009-2336
|
| VCID-4h9a-f492-cqgx | wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. |
CVE-2012-4422
|
| VCID-5d4e-5ngu-mfgy | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The KSES text cleaning filter in lib/weblib.php in Moodle before 1.8.13 and 1.9.x before 1.9.9 does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input. |
CVE-2010-2230
GHSA-3gm8-32vv-q8mp |
| VCID-5q3r-v8z7-x3f8 | The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. |
CVE-2010-5106
|
| VCID-5v95-fhhm-33an | WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter. |
CVE-2010-0682
|
| VCID-6d1g-aj3f-3kav | Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt. |
CVE-2010-5294
|
| VCID-6jxp-68cd-37db | Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414. |
CVE-2012-2399
|
| VCID-7hh4-ex15-9uh9 | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. |
CVE-2011-3127
|
| VCID-7wx9-apzc-qqar | wordpress: multiple vulnerabilities |
CVE-2009-2334
|
| VCID-8hdt-8gc7-4kgg | wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value. |
CVE-2012-6634
|
| VCID-8n5j-65xk-wqbp | Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/. |
CVE-2009-2854
|
| VCID-9dcr-4f3a-myfs | wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action. |
CVE-2010-5296
|
| VCID-9t3e-tq9t-7qay | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects. |
CVE-2011-3126
|
| VCID-9zbn-b1sp-buan | WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php. |
CVE-2011-3128
|
| VCID-ajbz-j6qz-vua9 | Wordpress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/. |
CVE-2009-2853
|
| VCID-b4h4-1gys-uqcc | wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request. |
CVE-2008-6767
|
| VCID-bj42-unmz-w3ht | Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field. |
CVE-2012-6633
|
| VCID-dg97-fkvm-rqh2 | SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. |
CVE-2010-4257
|
| VCID-e1ud-yfqb-4kca | The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. |
CVE-2012-4421
|
| VCID-e8s1-sduw-a7aa | several |
CVE-2013-2173
|
| VCID-fdtx-uggj-ybby | The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. |
CVE-2011-4957
|
| VCID-fmzm-hb5j-dyfe | several |
CVE-2013-2203
|
| VCID-fqna-8mh3-rkd8 | Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. |
CVE-2012-4448
|
| VCID-fzyt-wpgd-byh1 | Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. |
CVE-2011-0700
|
| VCID-gz89-rnrc-2ubc | wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. |
CVE-2012-2403
|
| VCID-h2mz-4fad-9qdj | Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action. |
CVE-2010-5295
|
| VCID-hjhs-79fd-xff1 | wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. |
CVE-2012-2404
|
| VCID-hx1m-3ehs-pudy | Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. |
CVE-2012-2401
|
| VCID-hxky-9sa6-4udb | Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature. |
CVE-2012-0287
|
| VCID-hyae-gf44-4qaa | several |
CVE-2013-2199
|
| VCID-janm-1e9e-abb5 | WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors. |
CVE-2012-3385
|
| VCID-juwh-zmez-dfhy | Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. |
CVE-2013-0237
|
| VCID-kdb9-npxe-tyc4 | WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. |
CVE-2010-5297
|
| VCID-meg6-wfw8-63cn | Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename. |
CVE-2009-3890
|
| VCID-nrq5-a7qq-mucd | Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. |
CVE-2013-0236
|
| VCID-p4r5-fz39-hkej | The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. |
CVE-2013-0235
|
| VCID-pwgx-qq3w-5baf | WordPress: Resource exhaustion (DoS) |
CVE-2009-3622
|
| VCID-q527-42sm-x7fz | Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors. |
CVE-2012-2400
|
| VCID-qj5d-cu2t-efah | Open redirect vulnerability in wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backto parameter. |
CVE-2008-6762
|
| VCID-qjdf-s39r-5bdb | PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outbound HTTP requests classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. |
CVE-2012-6112
GHSA-fx5h-3786-h2w6 |
| VCID-qwk7-gv3y-97ck | several |
CVE-2013-2202
|
| VCID-t4mw-4vck-d7ek | The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames. |
CVE-2011-3129
|
| VCID-tr8v-5ee5-aqfp | The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text. |
CVE-2012-3383
|
| VCID-ufsd-zp75-u3h7 | wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role. |
CVE-2011-5270
|
| VCID-uja6-g5w2-1qd2 | several |
CVE-2013-2204
|
| VCID-uymd-e4m2-muem | wordpress: multiple vulnerabilities |
CVE-2009-2431
|
| VCID-v8by-vn2q-r7gx | wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. |
CVE-2011-0701
|
| VCID-vhnc-k9yw-cuar | wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. |
CVE-2010-5293
|
| VCID-vr2c-p6jy-3bb9 | several |
CVE-2013-2205
|
| VCID-vs2q-hgzx-jkgk | Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
CVE-2011-4956
|
| VCID-vvb8-5w2s-euc2 | several |
CVE-2013-2201
|
| VCID-xsz3-bme6-ubfn | WordPress: XSS via unescaped HTML URLs as author comments in the admin page |
CVE-2009-2851
|
| VCID-y1em-tppz-7qew | Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form. |
CVE-2010-4536
|
| VCID-y2jb-7zbk-27cg | Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. |
CVE-2012-3414
|
| VCID-y72f-vtf2-2fat | wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. |
CVE-2009-2762
|
| VCID-ymp4-217x-6ub4 | wordpress: multiple vulnerabilities |
CVE-2009-2432
|
| VCID-ys9t-dsgg-zbff | Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable). |
CVE-2009-3891
|
| VCID-znav-bux7-7qd2 | wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft. |
CVE-2012-6635
|
| VCID-ztfv-xfxe-kket | wordpress: multiple vulnerabilities |
CVE-2009-2335
|
| VCID-zvnm-b6n7-1kbx | wp-includes/taxonomy.php in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Taxonomy query hardening," possibly involving SQL injection. |
CVE-2011-3130
|