Wordpress : Security Vulnerabilities, CVEs, Published In 2017 (XSS) CVSS score >= 2
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
Max CVSS
5.4
EPSS Score
0.10%
Published
2017-12-02
Updated
2019-04-26
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
Max CVSS
5.4
EPSS Score
0.09%
Published
2017-12-02
Updated
2019-04-26
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
Max CVSS
5.4
EPSS Score
0.09%
Published
2017-12-02
Updated
2019-04-26
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
Max CVSS
6.1
EPSS Score
0.38%
Published
2017-09-23
Updated
2017-11-10
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
Max CVSS
6.1
EPSS Score
0.37%
Published
2017-09-23
Updated
2017-11-10
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
Max CVSS
6.1
EPSS Score
0.25%
Published
2017-09-23
Updated
2017-11-10
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
Max CVSS
6.1
EPSS Score
0.25%
Published
2017-09-23
Updated
2017-11-10
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.
Max CVSS
6.1
EPSS Score
0.25%
Published
2017-09-23
Updated
2017-11-10
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
Max CVSS
6.1
EPSS Score
0.29%
Published
2017-05-18
Updated
2019-03-15
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
Max CVSS
8.6
EPSS Score
0.62%
Published
2017-05-18
Updated
2019-10-03
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
Max CVSS
6.1
EPSS Score
0.29%
Published
2017-05-18
Updated
2019-03-15
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.
Max CVSS
6.1
EPSS Score
0.32%
Published
2017-03-12
Updated
2019-03-19
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
Max CVSS
5.4
EPSS Score
0.09%
Published
2017-03-12
Updated
2019-03-19
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.
Max CVSS
5.4
EPSS Score
0.10%
Published
2017-03-12
Updated
2019-03-19
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.
Max CVSS
6.1
EPSS Score
0.23%
Published
2017-01-30
Updated
2019-03-19
Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.
Max CVSS
6.1
EPSS Score
0.47%
Published
2017-01-15
Updated
2017-11-04
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.
Max CVSS
6.1
EPSS Score
0.48%
Published
2017-01-15
Updated
2017-11-04
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
Max CVSS
4.8
EPSS Score
0.36%
Published
2017-01-05
Updated
2017-11-04
18 vulnerabilities found