Wordpress : Security Vulnerabilities, CVEs, Published In 2019 CVSS score >= 9
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Max CVSS
9.8
EPSS Score
0.62%
Published
2019-12-27
Updated
2022-11-23
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
Max CVSS
9.8
EPSS Score
0.71%
Published
2019-10-17
Updated
2022-11-07
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
Max CVSS
9.8
EPSS Score
1.53%
Published
2019-10-17
Updated
2023-02-03
3 vulnerabilities found