Wordpress : Security Vulnerabilities, CVEs, Published In 2017 (CSRF)
CVE-2016-6897
Public exploit
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
Max CVSS
6.5
EPSS Score
0.33%
Published
2017-01-18
Updated
2017-09-03
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
Max CVSS
8.8
EPSS Score
0.27%
Published
2017-01-15
Updated
2017-11-04
Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
Max CVSS
8.8
EPSS Score
0.28%
Published
2017-01-15
Updated
2017-11-04
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.
Max CVSS
6.5
EPSS Score
0.16%
Published
2017-03-12
Updated
2019-03-19
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
Max CVSS
8.6
EPSS Score
0.62%
Published
2017-05-18
Updated
2019-10-03
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
Max CVSS
8.8
EPSS Score
0.44%
Published
2017-05-18
Updated
2019-03-15
6 vulnerabilities found