Search for packages
| purl | pkg:deb/debian/wordpress@4.7.5%2Bdfsg-2%2Bdeb9u2~bpo8%2B1 |
| Next non-vulnerable version | 6.8.3+dfsg1-0+deb13u1 |
| Latest non-vulnerable version | 6.8.3+dfsg1-0+deb13u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1by8-54pr-ubcw
Aliases: CVE-2020-4046 |
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 7 other vulnerabilities. |
|
VCID-1j31-f88g-kfe7
Aliases: CVE-2021-29450 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-1tw6-axgs-f3hy
Aliases: CVE-2020-11027 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-1z8j-st48-qkgn
Aliases: CVE-2017-14718 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-2gqt-ngbw-xyby
Aliases: CVE-2022-21664 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-2jgs-b7r7-zygv
Aliases: CVE-2020-11030 |
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 7 other vulnerabilities. |
|
VCID-3171-8hu9-4uev
Aliases: CVE-2019-17675 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-3572-tc84-pyhv
Aliases: CVE-2023-2745 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-3veg-k8v2-tyhr
Aliases: CVE-2019-17671 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-47fm-x1rg-vbct
Aliases: CVE-2024-31210 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-47he-853j-8qdn
Aliases: CVE-2021-39200 |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. |
Affected by 7 other vulnerabilities. |
|
VCID-4g2n-5v12-yuff
Aliases: CVE-2024-31111 |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9. |
Affected by 2 other vulnerabilities. |
|
VCID-4ty5-fp9a-8qhg
Aliases: CVE-2019-16781 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-532z-9qbb-dyfw
Aliases: CVE-2025-58246 |
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. |
Affected by 2 other vulnerabilities. |
|
VCID-5698-c229-bqc9
Aliases: CVE-2019-17670 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. |
Affected by 7 other vulnerabilities. |
|
VCID-6ejh-nyh8-gqar
Aliases: CVE-2018-10100 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-6j54-w242-hfce
Aliases: CVE-2022-43504 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-722f-e2hf-xyc9
Aliases: CVE-2023-5561 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-767p-btpd-tudb
Aliases: CVE-2019-17669 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-7twj-axjh-rudj
Aliases: CVE-2017-17094 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-8mat-2mjd-7fgm
Aliases: CVE-2019-9787 |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
Affected by 7 other vulnerabilities. |
|
VCID-8rfd-k93s-qycc
Aliases: CVE-2017-14724 |
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
Affected by 63 other vulnerabilities. |
|
VCID-9166-twpv-u3a9
Aliases: CVE-2018-20150 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-92fa-nrxb-e3gj
Aliases: CVE-2020-28032 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-98e3-ffna-jfbs
Aliases: CVE-2019-17674 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-agpu-husf-6be4
Aliases: CVE-2019-16217 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ajrt-bhrw-k7an
Aliases: CVE-2019-16220 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-aup2-49ee-jkdf
Aliases: CVE-2019-16222 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-azsx-2ydf-zyag
Aliases: CVE-2020-4050 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-azyj-28v6-ufhg
Aliases: CVE-2021-39201 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-b8ex-3tnw-yuh8
Aliases: CVE-2018-10102 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-bb3n-jh6p-vfhm
Aliases: CVE-2022-21661 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-c2ta-7w7f-kbed
Aliases: CVE-2019-16218 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-c62s-z1vc-nubq
Aliases: CVE-2017-14720 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-cce4-nh1p-f3gn
Aliases: CVE-2019-8942 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-cwud-1n3k-rfcs
Aliases: CVE-2017-17092 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-dkht-9n6n-fucn
Aliases: CVE-2017-14725 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-dzgs-vwe3-fub1
Aliases: CVE-2019-20042 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-e37d-h1k6-sud6
Aliases: CVE-2017-14721 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-e8zy-mzdn-g7gz
Aliases: DSA-5279-2 wordpress |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-ejtq-a5ca-ffbu
Aliases: CVE-2019-16221 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fcqu-11yk-h3af
Aliases: CVE-2018-20149 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-fd51-1hat-v3ee
Aliases: CVE-2017-17091 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-fpwa-74w6-mugt
Aliases: CVE-2019-16780 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-fra3-hye6-kqh7
Aliases: CVE-2021-29476 GHSA-52qp-jpq7-6c54 |
Insecure Deserialization of untrusted data in rmccue/requests ### Impact Unserialization of untrusted data. ### Patches The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. ### References Publications about the vulnerability: * https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress * https://github.com/ambionics/phpggc/issues/52 * https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/ * https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf * https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf * https://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf * https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#3c0f Originally fixed in WordPress 5.5.2: * https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3 * https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ Related Security Advisories: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032 * https://nvd.nist.gov/vuln/detail/CVE-2020-28032 Notification to the Requests repo including a fix in: * https://github.com/rmccue/Requests/pull/421 and * https://github.com/rmccue/Requests/pull/422 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Request](https://github.com/WordPress/Requests/) |
Affected by 7 other vulnerabilities. |
|
VCID-fuma-nkmd-zkc1
Aliases: CVE-2019-17673 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ghn9-muv6-17d7
Aliases: CVE-2017-14723 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-gy54-apzn-7kef
Aliases: CVE-2020-28036 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-h5up-s13c-2ygg
Aliases: CVE-2022-43497 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-h97y-a92u-2fay
Aliases: CVE-2020-28040 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-hkp2-z1em-x3gu
Aliases: CVE-2017-16510 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-hndb-7b4f-7bbw
Aliases: CVE-2019-16223 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-htec-cnsd-4ke4
Aliases: CVE-2022-21663 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-htr5-ugyh-7yaz
Aliases: CVE-2021-29447 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-jjjw-sspg-q3c3
Aliases: CVE-2019-20041 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-k52x-fa57-hkfk
Aliases: CVE-2019-16219 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-kk83-bnn5-tuar
Aliases: CVE-2020-4048 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-kn9s-5v5u-d3fj
Aliases: CVE-2019-20043 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-m8mf-t2td-67h7
Aliases: CVE-2024-6307 |
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Affected by 2 other vulnerabilities. |
|
VCID-n7ne-unru-7fhn
Aliases: CVE-2020-28035 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ng4k-69hk-9ueu
Aliases: CVE-2017-14990 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-ngkc-cwzj-nbdk
Aliases: CVE-2020-28033 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-ny68-2wje-q3df
Aliases: CVE-2018-20153 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-pkjb-8649-fqd2
Aliases: CVE-2020-28034 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-psca-f78j-hbc2
Aliases: CVE-2020-28039 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-pyzc-scrd-bufa
Aliases: CVE-2020-11025 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-pz3b-294m-nqfn
Aliases: CVE-2018-10101 |
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
Affected by 63 other vulnerabilities. |
|
VCID-q146-rfqv-1ych
Aliases: CVE-2017-14719 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-q84d-utmc-g3fn
Aliases: CVE-2020-25286 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-qu9h-p3s6-8bd2
Aliases: CVE-2017-17093 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-r4qy-1wa6-t7gh
Aliases: CVE-2019-17672 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-sszr-mn9y-kkhg
Aliases: CVE-2022-4973 |
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. |
Affected by 7 other vulnerabilities. |
|
VCID-swnk-8ave-bff2
Aliases: CVE-2018-20148 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-t4fg-hrp7-c7h9
Aliases: CVE-2018-5776 |
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
Affected by 63 other vulnerabilities. |
|
VCID-tffx-7mmd-gkcf
Aliases: CVE-2020-28038 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-tgfm-2c63-d7dk
Aliases: CVE-2020-4049 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-u1fw-ahar-8uc1
Aliases: CVE-2020-4047 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-u4ef-4sne-tbeg
Aliases: CVE-2018-20147 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-v2xf-n28d-kfcx
Aliases: CVE-2018-12895 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-v5s7-vwe3-5bak
Aliases: CVE-2020-11029 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-v7ph-mtd1-y3e1
Aliases: CVE-2022-43500 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-w8w1-e5zu-ffgx
Aliases: CVE-2020-11026 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-wenb-bpws-mkar
Aliases: CVE-2020-11028 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-x733-wwnx-c7fv
Aliases: CVE-2017-1000600 |
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
Affected by 63 other vulnerabilities. |
|
VCID-x7aj-4qxd-rkcu
Aliases: CVE-2017-14726 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-xd4w-ak3v-dybq
Aliases: CVE-2018-20151 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-xfxs-pjex-3bh3
Aliases: CVE-2023-39999 |
security update |
Affected by 7 other vulnerabilities. |
|
VCID-xzu6-fn31-43ej
Aliases: CVE-2022-21662 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-z8gv-sec9-xbam
Aliases: CVE-2017-14722 |
security update |
Affected by 63 other vulnerabilities. |
|
VCID-zj9a-shru-e7gs
Aliases: CVE-2025-58674 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30. |
Affected by 2 other vulnerabilities. |
|
VCID-zmhc-4gku-13ga
Aliases: CVE-2020-28037 |
security update |
Affected by 63 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-znb5-qcr5-pqaf
Aliases: CVE-2018-20152 |
security update |
Affected by 92 other vulnerabilities. Affected by 63 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-12nz-jt4k-afdm | security update |
CVE-2016-4029
|
| VCID-198e-9yps-nqfz | security update |
CVE-2017-5491
|
| VCID-1axp-38yu-wua1 | security update |
CVE-2017-5489
|
| VCID-1z8j-st48-qkgn | security update |
CVE-2017-14718
|
| VCID-251h-7yfd-sbdy | security update |
CVE-2016-5835
|
| VCID-2rqp-572a-ufcr | security update |
CVE-2015-3440
|
| VCID-32qc-zmsg-gfa4 | security update |
CVE-2015-5730
|
| VCID-3f5q-3k4x-aue9 | The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. |
CVE-2017-1001000
|
| VCID-46dk-a282-8bf9 | security update |
CVE-2017-5612
|
| VCID-4p1q-h56b-1qhj | security update |
CVE-2015-3438
|
| VCID-6cda-2819-puhp | security update |
CVE-2016-7168
|
| VCID-7hgx-yyw8-23cj | The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
CVE-2016-5836
|
| VCID-8kvg-dxb5-7uhx | security update |
CVE-2015-3439
|
| VCID-aesj-sy6k-57de | Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. |
CVE-2016-5833
|
| VCID-c62s-z1vc-nubq | security update |
CVE-2017-14720
|
| VCID-c9m4-z6x3-8ubj | security update |
CVE-2015-8834
|
| VCID-cdj6-mgne-bkcs | security update |
CVE-2016-6634
|
| VCID-cuw7-7fmc-xbc1 | security update |
CVE-2017-5488
|
| VCID-d6e4-71uw-xyeb | The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. |
CVE-2016-10148
|
| VCID-dkht-9n6n-fucn | security update |
CVE-2017-14725
|
| VCID-dw8d-4vse-jqbe | security update |
CVE-2015-5734
|
| VCID-e1ss-azne-d7ha | In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. |
CVE-2017-6819
|
| VCID-e37d-h1k6-sud6 | security update |
CVE-2017-14721
|
| VCID-f8cq-auvz-7be1 | security update |
CVE-2016-5837
|
| VCID-fkqw-vkvb-gydh | security update |
CVE-2016-5832
|
| VCID-gakg-ky9v-ayej | security update |
CVE-2016-6635
|
| VCID-ggs8-1k6e-ebc8 | security update |
CVE-2015-7989
|
| VCID-ghn9-muv6-17d7 | security update |
CVE-2017-14723
|
| VCID-gwks-aqn7-mud4 | security update |
CVE-2017-9065
|
| VCID-h1fb-65br-93fb | security update |
CVE-2016-5838
|
| VCID-jf98-kean-p3b3 | In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. |
CVE-2017-6818
|
| VCID-jntp-tjnu-ekbk | security update |
CVE-2016-2222
|
| VCID-k6a1-ag3k-y7d1 | In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
CVE-2017-9066
|
| VCID-kkqs-rbpz-wqhf | Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. |
CVE-2015-5733
|
| VCID-kpem-j9we-vufs | security update |
CVE-2017-5492
|
| VCID-kyzb-5kb1-j7cf | security update |
CVE-2016-1564
|
| VCID-mu7j-73tw-xbc6 | security update |
CVE-2015-2213
|
| VCID-ng4k-69hk-9ueu | security update |
CVE-2017-14990
|
| VCID-nj6g-ewk1-r7f1 | Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. |
CVE-2016-4566
|
| VCID-ns2b-cr6m-t7gq | security update |
CVE-2015-5732
|
| VCID-pb81-1zfe-hqfb | security update |
CVE-2016-5834
|
| VCID-q146-rfqv-1ych | security update |
CVE-2017-14719
|
| VCID-q9xz-t5cc-2uf7 | security update |
CVE-2015-5715
|
| VCID-qpsj-hsmm-6qa8 | security update |
CVE-2017-6816
|
| VCID-r5u7-bft7-6bd3 | security update |
CVE-2017-8295
|
| VCID-rcvm-b2u5-43dc | Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. |
CVE-2016-6897
|
| VCID-sany-su2d-73cn | wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. |
CVE-2017-5487
|
| VCID-sh9a-167m-57cw | security update |
CVE-2015-5622
|
| VCID-srjh-2qnk-e7c6 | security update |
CVE-2017-6817
|
| VCID-tf2e-bgq5-9ff5 | security update |
CVE-2017-5611
|
| VCID-tf2u-dse2-mufb | security update |
CVE-2017-6814
|
| VCID-trn4-a55k-sqad | security update |
CVE-2017-5490
|
| VCID-ttaw-fpb8-27hp | security update |
CVE-2016-2221
|
| VCID-ujms-xfg5-77e8 | Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. |
CVE-2016-6896
|
| VCID-vg54-wjcw-fuh4 | security update |
CVE-2017-5610
|
| VCID-vj6y-1qup-jubg | security update |
CVE-2017-5493
|
| VCID-vywc-p4tw-8yd2 | security update |
CVE-2017-6815
|
| VCID-w7r4-c8yh-hkbc | security update |
CVE-2017-9061
|
| VCID-x5g3-2yvt-xkfm | security update |
CVE-2017-9062
|
| VCID-x7aj-4qxd-rkcu | security update |
CVE-2017-14726
|
| VCID-xg1e-yjwb-r3h4 | security update |
CVE-2015-5714
|
| VCID-xwgs-bt6t-qfbh | security update |
CVE-2015-5623
|
| VCID-yees-gysw-d3cx | security update |
CVE-2016-5839
|
| VCID-z4g5-m3kv-93e3 | security update |
CVE-2017-9063
|
| VCID-z8gv-sec9-xbam | security update |
CVE-2017-14722
|
| VCID-zebg-ku4f-dbgk | security update |
CVE-2015-3429
|
| VCID-zhsu-sye9-mkaz | security update |
CVE-2017-9064
|
| VCID-zyqs-75ad-8kcd | security update |
CVE-2016-7169
|
| VCID-zzcw-snrs-kygh | security update |
CVE-2015-5731
|