Wordpress : Security Vulnerabilities, CVEs, Published In 2017 CVSS score >= 8
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.
Max CVSS
8.8
EPSS Score
0.37%
Published
2017-12-02
Updated
2019-10-03
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
Max CVSS
9.8
EPSS Score
0.39%
Published
2017-11-02
Updated
2018-02-04
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
Max CVSS
9.8
EPSS Score
0.38%
Published
2017-09-23
Updated
2017-11-10
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.
Max CVSS
8.6
EPSS Score
1.08%
Published
2017-05-18
Updated
2019-03-15
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
Max CVSS
8.8
EPSS Score
0.44%
Published
2017-05-18
Updated
2019-03-15
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
Max CVSS
8.6
EPSS Score
0.62%
Published
2017-05-18
Updated
2019-10-03
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.
Max CVSS
9.8
EPSS Score
0.32%
Published
2017-01-30
Updated
2021-01-30
Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
Max CVSS
8.8
EPSS Score
0.28%
Published
2017-01-15
Updated
2017-11-04
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
Max CVSS
8.8
EPSS Score
0.27%
Published
2017-01-15
Updated
2017-11-04
9 vulnerabilities found