Search for packages
| purl | pkg:deb/debian/wordpress@3.6.1%2Bdfsg-1~deb6u9 |
| Next non-vulnerable version | 6.8.3+dfsg1-0+deb13u1 |
| Latest non-vulnerable version | 6.8.3+dfsg1-0+deb13u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12nz-jt4k-afdm
Aliases: CVE-2016-4029 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-198e-9yps-nqfz
Aliases: CVE-2017-5491 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-1axp-38yu-wua1
Aliases: CVE-2017-5489 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-1by8-54pr-ubcw
Aliases: CVE-2020-4046 |
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 7 other vulnerabilities. |
|
VCID-1j31-f88g-kfe7
Aliases: CVE-2021-29450 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-1tw6-axgs-f3hy
Aliases: CVE-2020-11027 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-1z8j-st48-qkgn
Aliases: CVE-2017-14718 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-251h-7yfd-sbdy
Aliases: CVE-2016-5835 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-2gqt-ngbw-xyby
Aliases: CVE-2022-21664 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-2hh2-akug-byew
Aliases: CVE-2014-9039 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-2jgs-b7r7-zygv
Aliases: CVE-2020-11030 |
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 7 other vulnerabilities. |
|
VCID-2rqp-572a-ufcr
Aliases: CVE-2015-3440 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-3171-8hu9-4uev
Aliases: CVE-2019-17675 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-32qc-zmsg-gfa4
Aliases: CVE-2015-5730 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-3572-tc84-pyhv
Aliases: CVE-2023-2745 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-3f5q-3k4x-aue9
Aliases: CVE-2017-1001000 |
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. |
Affected by 92 other vulnerabilities. |
|
VCID-3veg-k8v2-tyhr
Aliases: CVE-2019-17671 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-46dk-a282-8bf9
Aliases: CVE-2017-5612 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-47fm-x1rg-vbct
Aliases: CVE-2024-31210 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-47he-853j-8qdn
Aliases: CVE-2021-39200 |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. |
Affected by 7 other vulnerabilities. |
|
VCID-4g2n-5v12-yuff
Aliases: CVE-2024-31111 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9. |
Affected by 2 other vulnerabilities. |
|
VCID-4p1q-h56b-1qhj
Aliases: CVE-2015-3438 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-4ty5-fp9a-8qhg
Aliases: CVE-2019-16781 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-532z-9qbb-dyfw
Aliases: CVE-2025-58246 |
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. |
Affected by 2 other vulnerabilities. |
|
VCID-5698-c229-bqc9
Aliases: CVE-2019-17670 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. |
Affected by 7 other vulnerabilities. |
|
VCID-6cda-2819-puhp
Aliases: CVE-2016-7168 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-6ejh-nyh8-gqar
Aliases: CVE-2018-10100 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-6j54-w242-hfce
Aliases: CVE-2022-43504 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-6mkb-a89m-zfgs
Aliases: CVE-2013-4339 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-722f-e2hf-xyc9
Aliases: CVE-2023-5561 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-767p-btpd-tudb
Aliases: CVE-2019-17669 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-7hgx-yyw8-23cj
Aliases: CVE-2016-5836 |
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
Affected by 92 other vulnerabilities. |
|
VCID-7twj-axjh-rudj
Aliases: CVE-2017-17094 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-8kvg-dxb5-7uhx
Aliases: CVE-2015-3439 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-8mat-2mjd-7fgm
Aliases: CVE-2019-9787 |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
Affected by 7 other vulnerabilities. |
|
VCID-8ms9-r5pz-fkc3
Aliases: CVE-2014-5265 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-8rfd-k93s-qycc
Aliases: CVE-2017-14724 |
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
Affected by 63 other vulnerabilities. |
|
VCID-9166-twpv-u3a9
Aliases: CVE-2018-20150 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-92fa-nrxb-e3gj
Aliases: CVE-2020-28032 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-95zd-g97m-ekh3
Aliases: CVE-2014-2053 GHSA-5v43-55m5-qr8f |
getID3 is vulnerable to XML External Entity (XXE) getID3() before 1.9.9, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-98e3-ffna-jfbs
Aliases: CVE-2019-17674 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-aesj-sy6k-57de
Aliases: CVE-2016-5833 |
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. |
Affected by 92 other vulnerabilities. |
|
VCID-agpu-husf-6be4
Aliases: CVE-2019-16217 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ajrt-bhrw-k7an
Aliases: CVE-2019-16220 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-aup2-49ee-jkdf
Aliases: CVE-2019-16222 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-azsx-2ydf-zyag
Aliases: CVE-2020-4050 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-azyj-28v6-ufhg
Aliases: CVE-2021-39201 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-b8ex-3tnw-yuh8
Aliases: CVE-2018-10102 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-bb3n-jh6p-vfhm
Aliases: CVE-2022-21661 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-buuf-pyc5-ybcg
Aliases: CVE-2014-5203 |
wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data. |
Affected by 154 other vulnerabilities. |
|
VCID-c2ta-7w7f-kbed
Aliases: CVE-2019-16218 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-c62s-z1vc-nubq
Aliases: CVE-2017-14720 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-c9m4-z6x3-8ubj
Aliases: CVE-2015-8834 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-cce4-nh1p-f3gn
Aliases: CVE-2019-8942 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-cdj6-mgne-bkcs
Aliases: CVE-2016-6634 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-cg91-ww8b-jfep
Aliases: CVE-2013-5738 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-cuw7-7fmc-xbc1
Aliases: CVE-2017-5488 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-cwud-1n3k-rfcs
Aliases: CVE-2017-17092 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-d6e4-71uw-xyeb
Aliases: CVE-2016-10148 |
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. |
Affected by 92 other vulnerabilities. |
|
VCID-dkht-9n6n-fucn
Aliases: CVE-2017-14725 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-dw8d-4vse-jqbe
Aliases: CVE-2015-5734 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-dzgs-vwe3-fub1
Aliases: CVE-2019-20042 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-e1ss-azne-d7ha
Aliases: CVE-2017-6819 |
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. |
Affected by 92 other vulnerabilities. |
|
VCID-e37d-h1k6-sud6
Aliases: CVE-2017-14721 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-e8zy-mzdn-g7gz
Aliases: DSA-5279-2 wordpress |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-ejtq-a5ca-ffbu
Aliases: CVE-2019-16221 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-f8cq-auvz-7be1
Aliases: CVE-2016-5837 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-fcqu-11yk-h3af
Aliases: CVE-2018-20149 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-fd51-1hat-v3ee
Aliases: CVE-2017-17091 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-fkqw-vkvb-gydh
Aliases: CVE-2016-5832 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-fpwa-74w6-mugt
Aliases: CVE-2019-16780 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fra3-hye6-kqh7
Aliases: CVE-2021-29476 GHSA-52qp-jpq7-6c54 |
Insecure Deserialization of untrusted data in rmccue/requests ### Impact Unserialization of untrusted data. ### Patches The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. ### References Publications about the vulnerability: * https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress * https://github.com/ambionics/phpggc/issues/52 * https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/ * https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf * https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf * https://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf * https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#3c0f Originally fixed in WordPress 5.5.2: * https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3 * https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ Related Security Advisories: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032 * https://nvd.nist.gov/vuln/detail/CVE-2020-28032 Notification to the Requests repo including a fix in: * https://github.com/rmccue/Requests/pull/421 and * https://github.com/rmccue/Requests/pull/422 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Request](https://github.com/WordPress/Requests/) |
Affected by 7 other vulnerabilities. |
|
VCID-fuma-nkmd-zkc1
Aliases: CVE-2019-17673 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fykj-9gba-rqgn
Aliases: CVE-2014-9036 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-gakg-ky9v-ayej
Aliases: CVE-2016-6635 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ggs8-1k6e-ebc8
Aliases: CVE-2015-7989 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ghn9-muv6-17d7
Aliases: CVE-2017-14723 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-gwks-aqn7-mud4
Aliases: CVE-2017-9065 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-gy54-apzn-7kef
Aliases: CVE-2020-28036 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-h1fb-65br-93fb
Aliases: CVE-2016-5838 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-h5up-s13c-2ygg
Aliases: CVE-2022-43497 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-h97y-a92u-2fay
Aliases: CVE-2020-28040 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-hkp2-z1em-x3gu
Aliases: CVE-2017-16510 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-hndb-7b4f-7bbw
Aliases: CVE-2019-16223 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-hq5p-xuuk-33f7
Aliases: CVE-2016-9263 |
WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. |
Affected by 154 other vulnerabilities. |
|
VCID-hrr1-ygkz-4bhd
Aliases: CVE-2013-4340 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-htec-cnsd-4ke4
Aliases: CVE-2022-21663 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-htr5-ugyh-7yaz
Aliases: CVE-2021-29447 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-j45z-kwz2-b7hn
Aliases: CVE-2014-9031 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-jf98-kean-p3b3
Aliases: CVE-2017-6818 |
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. |
Affected by 92 other vulnerabilities. |
|
VCID-jjjw-sspg-q3c3
Aliases: CVE-2019-20041 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-jmx6-p5md-dycf
Aliases: CVE-2014-5266 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-jntp-tjnu-ekbk
Aliases: CVE-2016-2222 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-jr4w-6wqz-cbe3
Aliases: CVE-2014-0166 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-k52x-fa57-hkfk
Aliases: CVE-2019-16219 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-k6a1-ag3k-y7d1
Aliases: CVE-2017-9066 |
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
Affected by 92 other vulnerabilities. |
|
VCID-kk83-bnn5-tuar
Aliases: CVE-2020-4048 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-kkqs-rbpz-wqhf
Aliases: CVE-2015-5733 |
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. |
Affected by 92 other vulnerabilities. |
|
VCID-kn9s-5v5u-d3fj
Aliases: CVE-2019-20043 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-kpem-j9we-vufs
Aliases: CVE-2017-5492 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ksx9-t81e-pkb3
Aliases: CVE-2014-9038 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-kybz-d1hv-g3ae
Aliases: CVE-2013-4338 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-kyzb-5kb1-j7cf
Aliases: CVE-2016-1564 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-m8mf-t2td-67h7
Aliases: CVE-2024-6307 |
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Affected by 2 other vulnerabilities. |
|
VCID-mfvf-n63j-cfaf
Aliases: CVE-2014-9034 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-msku-2thw-jfat
Aliases: CVE-2013-5739 |
several |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-mu7j-73tw-xbc6
Aliases: CVE-2015-2213 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-n7ne-unru-7fhn
Aliases: CVE-2020-28035 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ng4k-69hk-9ueu
Aliases: CVE-2017-14990 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-ngkc-cwzj-nbdk
Aliases: CVE-2020-28033 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-nj6g-ewk1-r7f1
Aliases: CVE-2016-4566 |
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. |
Affected by 92 other vulnerabilities. |
|
VCID-ns2b-cr6m-t7gq
Aliases: CVE-2015-5732 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ny68-2wje-q3df
Aliases: CVE-2018-20153 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-p1c8-hj6e-mkg4
Aliases: CVE-2014-5204 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-pb81-1zfe-hqfb
Aliases: CVE-2016-5834 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-pd4w-3ttq-9yfs
Aliases: CVE-2014-9035 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-pkjb-8649-fqd2
Aliases: CVE-2020-28034 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-psca-f78j-hbc2
Aliases: CVE-2020-28039 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-pyzc-scrd-bufa
Aliases: CVE-2020-11025 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-pz3b-294m-nqfn
Aliases: CVE-2018-10101 |
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
Affected by 63 other vulnerabilities. |
|
VCID-q146-rfqv-1ych
Aliases: CVE-2017-14719 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-q84d-utmc-g3fn
Aliases: CVE-2020-25286 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-q9xz-t5cc-2uf7
Aliases: CVE-2015-5715 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-qpsj-hsmm-6qa8
Aliases: CVE-2017-6816 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-qu9h-p3s6-8bd2
Aliases: CVE-2017-17093 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-r4qy-1wa6-t7gh
Aliases: CVE-2019-17672 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-r5u7-bft7-6bd3
Aliases: CVE-2017-8295 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-rcvm-b2u5-43dc
Aliases: CVE-2016-6897 |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. |
Affected by 92 other vulnerabilities. |
|
VCID-re92-3yew-1bft
Aliases: CVE-2014-9037 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-ruuu-vphs-5qap
Aliases: CVE-2014-5240 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-rz89-bchd-zqge
Aliases: CVE-2014-9033 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-sany-su2d-73cn
Aliases: CVE-2017-5487 |
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. |
Affected by 92 other vulnerabilities. |
|
VCID-sh9a-167m-57cw
Aliases: CVE-2015-5622 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-srjh-2qnk-e7c6
Aliases: CVE-2017-6817 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-sszr-mn9y-kkhg
Aliases: CVE-2022-4973 |
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. |
Affected by 7 other vulnerabilities. |
|
VCID-swnk-8ave-bff2
Aliases: CVE-2018-20148 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-t4fg-hrp7-c7h9
Aliases: CVE-2018-5776 |
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
Affected by 63 other vulnerabilities. |
|
VCID-t864-vrfz-rbgb
Aliases: DSA-3681-2 wordpress |
regression update |
Affected by 152 other vulnerabilities. |
|
VCID-tc97-uxfe-rqdc
Aliases: CVE-2014-5205 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-tcbf-ura1-mbfv
Aliases: CVE-2014-9032 |
Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
Affected by 154 other vulnerabilities. |
|
VCID-tf2e-bgq5-9ff5
Aliases: CVE-2017-5611 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-tf2u-dse2-mufb
Aliases: CVE-2017-6814 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-tffx-7mmd-gkcf
Aliases: CVE-2020-28038 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-tgfm-2c63-d7dk
Aliases: CVE-2020-4049 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-trn4-a55k-sqad
Aliases: CVE-2017-5490 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-ttaw-fpb8-27hp
Aliases: CVE-2016-2221 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-u1fw-ahar-8uc1
Aliases: CVE-2020-4047 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-u4ef-4sne-tbeg
Aliases: CVE-2018-20147 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-ujms-xfg5-77e8
Aliases: CVE-2016-6896 |
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. |
Affected by 92 other vulnerabilities. |
|
VCID-v2xf-n28d-kfcx
Aliases: CVE-2018-12895 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-v5s7-vwe3-5bak
Aliases: CVE-2020-11029 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-v7ph-mtd1-y3e1
Aliases: CVE-2022-43500 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-vg54-wjcw-fuh4
Aliases: CVE-2017-5610 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-vj6y-1qup-jubg
Aliases: CVE-2017-5493 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-vywc-p4tw-8yd2
Aliases: CVE-2017-6815 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-w7r4-c8yh-hkbc
Aliases: CVE-2017-9061 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-w8w1-e5zu-ffgx
Aliases: CVE-2020-11026 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-wenb-bpws-mkar
Aliases: CVE-2020-11028 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-x5g3-2yvt-xkfm
Aliases: CVE-2017-9062 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-x733-wwnx-c7fv
Aliases: CVE-2017-1000600 |
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
Affected by 63 other vulnerabilities. |
|
VCID-x7aj-4qxd-rkcu
Aliases: CVE-2017-14726 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-x89y-av45-ufgh
Aliases: CVE-2014-0165 |
security update |
Affected by 178 other vulnerabilities. Affected by 154 other vulnerabilities. |
|
VCID-xd4w-ak3v-dybq
Aliases: CVE-2018-20151 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-xfxs-pjex-3bh3
Aliases: CVE-2023-39999 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-xg1e-yjwb-r3h4
Aliases: CVE-2015-5714 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-xwgs-bt6t-qfbh
Aliases: CVE-2015-5623 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-xzu6-fn31-43ej
Aliases: CVE-2022-21662 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-yees-gysw-d3cx
Aliases: CVE-2016-5839 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-z4g5-m3kv-93e3
Aliases: CVE-2017-9063 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-z8gv-sec9-xbam
Aliases: CVE-2017-14722 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-zdhg-b334-ryat
Aliases: DSA-3332-2 wordpress |
regression update |
Affected by 152 other vulnerabilities. |
|
VCID-zebg-ku4f-dbgk
Aliases: CVE-2015-3429 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-zhsu-sye9-mkaz
Aliases: CVE-2017-9064 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-zj9a-shru-e7gs
Aliases: CVE-2025-58674 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. |
Affected by 2 other vulnerabilities. |
|
VCID-zmhc-4gku-13ga
Aliases: CVE-2020-28037 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-znb5-qcr5-pqaf
Aliases: CVE-2018-20152 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-zyqs-75ad-8kcd
Aliases: CVE-2016-7169 |
security update |
Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
|
VCID-zzcw-snrs-kygh
Aliases: CVE-2015-5731 |
security update |
Affected by 178 other vulnerabilities. Affected by 152 other vulnerabilities. Affected by 92 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||