Wordpress : Security Vulnerabilities, CVEs, (Denial of service) CVSS score >= 6
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
Max CVSS
9.8
EPSS Score
2.42%
Published
2020-11-02
Updated
2022-04-28
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
Max CVSS
7.5
EPSS Score
37.06%
Published
2018-02-06
Updated
2019-03-01
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.
Max CVSS
7.1
EPSS Score
32.65%
Published
2017-01-18
Updated
2017-09-03
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.
Max CVSS
7.5
EPSS Score
1.19%
Published
2016-06-29
Updated
2018-07-31
Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.
Max CVSS
6.8
EPSS Score
0.87%
Published
2015-11-09
Updated
2017-11-04
wp-admin/upgrade.php in WordPress, probably 2.6.x, allows remote attackers to upgrade the application, and possibly cause a denial of service (application outage), via a direct request.
Max CVSS
10.0
EPSS Score
0.65%
Published
2009-04-28
Updated
2017-08-17
Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. NOTE: this might be the same as CVE-2006-5705.1.
Max CVSS
7.5
EPSS Score
1.01%
Published
2008-01-10
Updated
2018-10-15
The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout constraint.
Max CVSS
7.8
EPSS Score
1.14%
Published
2007-01-29
Updated
2018-10-16
8 vulnerabilities found