Search for packages
| purl | pkg:deb/debian/wordpress@5.0.15%2Bdfsg1-0%2Bdeb10u1 |
| Next non-vulnerable version | 6.8.1+dfsg1-1 |
| Latest non-vulnerable version | 6.8.1+dfsg1-1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-27gf-s9nc-9qgy
Aliases: CVE-2021-39201 |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) |
Affected by 3 other vulnerabilities. |
|
VCID-2reu-mug8-7khp
Aliases: CVE-2022-43500 |
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. |
Affected by 3 other vulnerabilities. |
|
VCID-32ks-kc8x-t3bc
Aliases: CVE-2022-21661 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. |
Affected by 3 other vulnerabilities. |
|
VCID-3jf9-qqss-cyax
Aliases: CVE-2019-16221 |
WordPress before 5.2.3 allows reflected XSS in the dashboard. |
Affected by 3 other vulnerabilities. |
|
VCID-3p37-fuvn-yyhx
Aliases: CVE-2019-17673 |
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header. |
Affected by 3 other vulnerabilities. |
|
VCID-3xx6-as4s-hqah
Aliases: CVE-2021-29450 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-4by6-snwe-kbay
Aliases: CVE-2020-25286 |
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. |
Affected by 3 other vulnerabilities. |
|
VCID-527a-mxru-3bhw
Aliases: CVE-2020-4046 |
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 3 other vulnerabilities. |
|
VCID-5fw9-e6gr-fffj
Aliases: CVE-2023-39999 |
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38. |
Affected by 3 other vulnerabilities. |
|
VCID-5krm-ab8u-87gj
Aliases: CVE-2019-16222 |
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
Affected by 3 other vulnerabilities. |
|
VCID-6wzs-z1a3-5bgc
Aliases: CVE-2020-28039 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-7q3m-juqy-dbc2
Aliases: CVE-2020-11026 |
security update |
Affected by 3 other vulnerabilities. |
|
VCID-86xs-fn2g-ekgw
Aliases: CVE-2020-11029 |
security update |
Affected by 3 other vulnerabilities. |
|
VCID-8d3z-u8kz-qfd3
Aliases: CVE-2020-4048 |
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 3 other vulnerabilities. |
|
VCID-a1vg-crra-zqd3
Aliases: CVE-2020-28038 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-aq2b-4paf-nuc7
Aliases: CVE-2022-21662 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 3 other vulnerabilities. |
|
VCID-c4f2-gf3z-rugf
Aliases: CVE-2019-20042 |
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
Affected by 3 other vulnerabilities. |
|
VCID-cm7n-829q-4qh3
Aliases: CVE-2020-28037 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-cscg-s24f-tqhs
Aliases: CVE-2020-4047 |
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 3 other vulnerabilities. |
|
VCID-ct56-8gxd-dbar
Aliases: CVE-2022-21664 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 3 other vulnerabilities. |
|
VCID-d474-zmfc-9uct
Aliases: CVE-2020-28033 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-e1yr-jstc-kfcf
Aliases: CVE-2019-17671 |
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. |
Affected by 3 other vulnerabilities. |
|
VCID-f3f8-4dyr-u7f6
Aliases: CVE-2019-17670 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. |
Affected by 3 other vulnerabilities. |
|
VCID-f45x-hdvn-3ucp
Aliases: CVE-2020-11028 |
security update |
Affected by 3 other vulnerabilities. |
|
VCID-fe6b-yywu-9bgg
Aliases: DSA-5279-2 wordpress |
security update |
Affected by 3 other vulnerabilities. |
|
VCID-gf7e-n6a8-2udc
Aliases: CVE-2023-2745 |
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. |
Affected by 3 other vulnerabilities. |
|
VCID-hafb-f7ez-a3h8
Aliases: CVE-2019-16218 |
WordPress before 5.2.3 allows XSS in stored comments. |
Affected by 3 other vulnerabilities. |
|
VCID-hk4z-ey84-sqa7
Aliases: CVE-2019-17674 |
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. |
Affected by 3 other vulnerabilities. |
|
VCID-j8um-3sac-fye7
Aliases: CVE-2020-11025 |
security update |
Affected by 3 other vulnerabilities. |
|
VCID-jt8m-8ttj-h3bg
Aliases: CVE-2020-11030 |
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
Affected by 3 other vulnerabilities. |
|
VCID-jxqy-whe1-x7ht
Aliases: CVE-2024-31210 |
WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable. |
Affected by 3 other vulnerabilities. |
|
VCID-k7y9-719w-tqh5
Aliases: CVE-2020-4049 |
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 3 other vulnerabilities. |
|
VCID-ke32-qerd-c7dm
Aliases: CVE-2019-20043 |
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
Affected by 3 other vulnerabilities. |
|
VCID-ks4j-38bf-8qd4
Aliases: CVE-2020-28032 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-kw8w-ryc6-cqd4
Aliases: CVE-2022-43504 |
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7. |
Affected by 3 other vulnerabilities. |
|
VCID-m81w-h68v-fbg4
Aliases: CVE-2019-9787 |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
Affected by 3 other vulnerabilities. |
|
VCID-nps9-wuur-6kc4
Aliases: CVE-2020-11027 |
security update |
Affected by 3 other vulnerabilities. |
|
VCID-nqky-8p8k-ryce
Aliases: CVE-2019-16220 |
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. |
Affected by 3 other vulnerabilities. |
|
VCID-q6fq-uwx9-wugu
Aliases: CVE-2020-4050 |
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
Affected by 3 other vulnerabilities. |
|
VCID-qdvm-tmx1-9ka3
Aliases: CVE-2019-16219 |
WordPress before 5.2.3 allows XSS in shortcode previews. |
Affected by 3 other vulnerabilities. |
|
VCID-qhwv-dwv5-7kbk
Aliases: CVE-2019-16223 |
WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
Affected by 3 other vulnerabilities. |
|
VCID-qpx8-h6j2-5yb5
Aliases: CVE-2022-4973 |
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. |
Affected by 3 other vulnerabilities. |
|
VCID-rh9a-aynp-c3fa
Aliases: CVE-2023-5561 |
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack |
Affected by 3 other vulnerabilities. |
|
VCID-s4mq-81zp-2bgq
Aliases: CVE-2019-17675 |
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. |
Affected by 3 other vulnerabilities. |
|
VCID-s7cb-xj6g-47fe
Aliases: CVE-2019-17669 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. |
Affected by 3 other vulnerabilities. |
|
VCID-sr4f-8x4c-2yf3
Aliases: CVE-2019-16780 |
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. |
Affected by 3 other vulnerabilities. |
|
VCID-t1bt-j6fu-1fhw
Aliases: CVE-2019-17672 |
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. |
Affected by 3 other vulnerabilities. |
|
VCID-tfm7-6acr-tffz
Aliases: CVE-2021-29447 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-u9ff-xwfy-p7ek
Aliases: CVE-2020-28034 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-uf87-vfb2-7ybc
Aliases: CVE-2020-28035 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-uq4k-4tyv-eyhj
Aliases: CVE-2020-28040 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-wafy-4qhc-guee
Aliases: CVE-2022-43497 |
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. |
Affected by 3 other vulnerabilities. |
|
VCID-x9we-vp2y-9qdh
Aliases: CVE-2021-29476 GHSA-52qp-jpq7-6c54 |
Insecure Deserialization of untrusted data in rmccue/requests ### Impact Unserialization of untrusted data. ### Patches The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0. ### References Publications about the vulnerability: * https://dannewitz.ninja/posts/php-unserialize-object-injection-yet-another-stars-rating-wordpress * https://github.com/ambionics/phpggc/issues/52 * https://blog.detectify.com/2019/07/23/improving-wordpress-plugin-security/ * https://i.blackhat.com/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf * https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf * https://2018.zeronights.ru/wp-content/uploads/materials/9%20ZN2018%20WV%20-%20PHP%20unserialize.pdf * https://medium.com/@knownsec404team/extend-the-attack-surface-of-php-deserialization-vulnerability-via-phar-d6455c6a1066#3c0f Originally fixed in WordPress 5.5.2: * https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3 * https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/ Related Security Advisories: * https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-28032 * https://nvd.nist.gov/vuln/detail/CVE-2020-28032 Notification to the Requests repo including a fix in: * https://github.com/rmccue/Requests/pull/421 and * https://github.com/rmccue/Requests/pull/422 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Request](https://github.com/WordPress/Requests/) |
Affected by 3 other vulnerabilities. |
|
VCID-xmct-x7bt-quhy
Aliases: CVE-2022-21663 |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
Affected by 3 other vulnerabilities. |
|
VCID-xnrd-rj56-6fd4
Aliases: CVE-2019-16781 |
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS. |
Affected by 3 other vulnerabilities. |
|
VCID-xrw6-wv27-tkde
Aliases: CVE-2021-39200 |
information disclosure |
Affected by 3 other vulnerabilities. |
|
VCID-y57w-rjb7-hye3
Aliases: CVE-2020-28036 |
multiple issues |
Affected by 3 other vulnerabilities. |
|
VCID-ypzf-m1km-1qgz
Aliases: CVE-2019-20041 |
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. |
Affected by 3 other vulnerabilities. |
|
VCID-z8ek-exhy-qyb7
Aliases: CVE-2019-16217 |
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-12tt-wa76-t3cx | security update |
CVE-2017-14723
|
| VCID-1w2g-tur8-87g4 | In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
CVE-2018-20150
|
| VCID-27gf-s9nc-9qgy | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) |
CVE-2021-39201
|
| VCID-2x58-5hmb-kkbm | security update |
CVE-2017-14721
|
| VCID-32ks-kc8x-t3bc | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. |
CVE-2022-21661
|
| VCID-34h8-w1n9-hfat | security update |
CVE-2017-14726
|
| VCID-3jf9-qqss-cyax | WordPress before 5.2.3 allows reflected XSS in the dashboard. |
CVE-2019-16221
|
| VCID-3p37-fuvn-yyhx | WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header. |
CVE-2019-17673
|
| VCID-3xx6-as4s-hqah | multiple issues |
CVE-2021-29450
|
| VCID-4by6-snwe-kbay | In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. |
CVE-2020-25286
|
| VCID-5krm-ab8u-87gj | WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
CVE-2019-16222
|
| VCID-5u2z-e2s3-87bt | In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. |
CVE-2018-20148
|
| VCID-66d7-qggh-t3d8 | WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
CVE-2017-1000600
|
| VCID-6wzs-z1a3-5bgc | multiple issues |
CVE-2020-28039
|
| VCID-7q3m-juqy-dbc2 | security update |
CVE-2020-11026
|
| VCID-7yr7-wdmq-nfch | security update |
CVE-2017-17092
|
| VCID-84wk-ph1h-13bt | Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. |
CVE-2018-10100
|
| VCID-86xs-fn2g-ekgw | security update |
CVE-2020-11029
|
| VCID-8d3z-u8kz-qfd3 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4048
|
| VCID-8j6w-s38j-6fbd | In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. |
CVE-2018-20149
|
| VCID-9ty9-8whs-k3dz | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
CVE-2018-20147
|
| VCID-a1vg-crra-zqd3 | multiple issues |
CVE-2020-28038
|
| VCID-aab3-6dsk-yqhv | Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. |
CVE-2018-10102
|
| VCID-aq2b-4paf-nuc7 | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
CVE-2022-21662
|
| VCID-bqma-z617-cbcz | WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges. |
CVE-2018-12895
|
| VCID-br8b-mesh-skgj | In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. |
CVE-2018-20151
|
| VCID-byas-q6gv-mke2 |
CVE-2017-14724
|
|
| VCID-c4f2-gf3z-rugf | In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
CVE-2019-20042
|
| VCID-cm7n-829q-4qh3 | multiple issues |
CVE-2020-28037
|
| VCID-cscg-s24f-tqhs | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4047
|
| VCID-ct56-8gxd-dbar | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
CVE-2022-21664
|
| VCID-czbk-u4g1-17bu | In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
CVE-2018-20152
|
| VCID-d474-zmfc-9uct | multiple issues |
CVE-2020-28033
|
| VCID-dmv9-knba-2fb7 | Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
CVE-2018-10101
|
| VCID-e1yr-jstc-kfcf | In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. |
CVE-2019-17671
|
| VCID-f45x-hdvn-3ucp | security update |
CVE-2020-11028
|
| VCID-gn93-j7ua-dyah | security update |
CVE-2017-17094
|
| VCID-h4z2-rmh8-m3ef | security update |
CVE-2017-14720
|
| VCID-hafb-f7ez-a3h8 | WordPress before 5.2.3 allows XSS in stored comments. |
CVE-2019-16218
|
| VCID-hk4z-ey84-sqa7 | WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. |
CVE-2019-17674
|
| VCID-j8um-3sac-fye7 | security update |
CVE-2020-11025
|
| VCID-k7y9-719w-tqh5 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4049
|
| VCID-ke32-qerd-c7dm | In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
CVE-2019-20043
|
| VCID-ks4j-38bf-8qd4 | multiple issues |
CVE-2020-28032
|
| VCID-nps9-wuur-6kc4 | security update |
CVE-2020-11027
|
| VCID-nqky-8p8k-ryce | In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. |
CVE-2019-16220
|
| VCID-q4m4-cz3y-nqc3 | security update |
CVE-2017-14722
|
| VCID-q6fq-uwx9-wugu | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
CVE-2020-4050
|
| VCID-qdvm-tmx1-9ka3 | WordPress before 5.2.3 allows XSS in shortcode previews. |
CVE-2019-16219
|
| VCID-qhwv-dwv5-7kbk | WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
CVE-2019-16223
|
| VCID-ra5u-n2jx-dugx | security update |
CVE-2017-14725
|
| VCID-rtrx-nq73-wffv | In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
CVE-2018-20153
|
| VCID-ru8c-3cs3-5uez | security update |
CVE-2017-17091
|
| VCID-rvaq-jxwx-8udr | security update |
CVE-2017-14990
|
| VCID-s4mq-81zp-2bgq | WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. |
CVE-2019-17675
|
| VCID-s713-yc5t-u3a8 | security update |
CVE-2017-14718
|
| VCID-s7cb-xj6g-47fe | WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. |
CVE-2019-17669
|
| VCID-sqgj-kj2m-5qb8 | security update |
CVE-2017-17093
|
| VCID-sr4f-8x4c-2yf3 | WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled. |
CVE-2019-16780
|
| VCID-t1bt-j6fu-1fhw | WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. |
CVE-2019-17672
|
| VCID-tfm7-6acr-tffz | multiple issues |
CVE-2021-29447
|
| VCID-u9ff-xwfy-p7ek | multiple issues |
CVE-2020-28034
|
| VCID-uf87-vfb2-7ybc | multiple issues |
CVE-2020-28035
|
| VCID-uq4k-4tyv-eyhj | multiple issues |
CVE-2020-28040
|
| VCID-vwgy-c4sv-e7aq | security update |
CVE-2017-14719
|
| VCID-wh7d-sncc-n3c4 | WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. |
CVE-2019-8942
|
| VCID-wx2g-5edr-jubd | WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
CVE-2018-5776
|
| VCID-xmct-x7bt-quhy | WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
CVE-2022-21663
|
| VCID-xnrd-rj56-6fd4 | In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS. |
CVE-2019-16781
|
| VCID-y57w-rjb7-hye3 | multiple issues |
CVE-2020-28036
|
| VCID-ypzf-m1km-1qgz | wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. |
CVE-2019-20041
|
| VCID-z8ek-exhy-qyb7 | WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
CVE-2019-16217
|
| VCID-zgnv-gzjb-hqde | security update |
CVE-2017-16510
|