CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Wordpress » Wordpress : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2012-4448 352 1 CSRF 2012-09-28 2012-10-01
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.
2 CVE-2012-4271 79 1 XSS 2012-08-13 2017-08-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wordpress-admin.php in the Bad Behavior plugin before 2.0.47 and 2.2.x before 2.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) httpbl_key, (3) httpbl_maxage, (4) httpbl_threat, (5) reverse_proxy_addresses, or (6) reverse_proxy_header parameter.
3 CVE-2012-1936 352 1 CSRF 2012-05-03 2017-12-13
6.8
None Remote Medium Not required Partial Partial Partial
** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations.
4 CVE-2012-0937 1 DoS 2012-01-30 2012-01-31
5.0
None Remote Low Not required None None Partial
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time.
5 CVE-2012-0782 79 1 XSS 2012-01-30 2012-01-31
4.3
None Remote Medium Not required None Partial None
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance.
6 CVE-2011-4899 1 Exec Code Sql XSS 2012-01-30 2012-01-31
7.5
None Remote Low Not required Partial Partial Partial
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments.
7 CVE-2011-4898 200 1 +Info 2012-01-30 2012-01-31
5.0
None Remote Low Not required None None Partial
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective.
8 CVE-2009-2762 255 1 Bypass 2009-08-13 2017-11-22
7.5
None Remote Low Not required Partial Partial Partial
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
9 CVE-2009-2334 287 1 DoS XSS +Info 2009-07-10 2018-10-10
4.9
None Remote Medium Single system Partial Partial None
wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.
10 CVE-2007-2821 1 Exec Code Sql 2007-05-22 2018-10-16
7.5
User Remote Low Not required Partial Partial Partial
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter.
11 CVE-2019-9787 352 Exec Code XSS CSRF 2019-03-14 2019-03-31
6.8
None Remote Medium Not required Partial Partial Partial
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
12 CVE-2019-8943 22 Dir. Trav. 2019-02-19 2019-04-25
4.0
None Remote Low Single system None Partial None
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
13 CVE-2019-8942 94 Exec Code 2019-02-19 2019-04-25
6.5
None Remote Low Single system Partial Partial Partial
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
14 CVE-2018-1000773 20 Exec Code 2018-09-06 2018-11-14
6.5
None Remote Low Single system Partial Partial Partial
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.
15 CVE-2018-20153 79 XSS 2018-12-14 2019-01-04
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
16 CVE-2018-20152 20 Bypass 2018-12-14 2019-01-04
5.0
None Remote Low Not required None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
17 CVE-2018-20151 200 +Info 2018-12-14 2019-01-04
5.0
None Remote Low Not required Partial None None
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.
18 CVE-2018-20150 79 XSS 2018-12-14 2019-01-04
4.3
None Remote Medium Not required None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.
19 CVE-2018-20149 79 XSS Bypass 2018-12-14 2019-01-04
3.5
None Remote Medium Single system None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
20 CVE-2018-20148 502 2018-12-14 2019-01-04
7.5
None Remote Low Not required Partial Partial Partial
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
21 CVE-2018-20147 284 Bypass 2018-12-14 2019-01-04
5.5
None Remote Low Single system None Partial Partial
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
22 CVE-2018-14028 434 Exec Code 2018-08-10 2018-10-10
6.5
None Remote Low Single system Partial Partial Partial
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
23 CVE-2018-12895 22 Exec Code Dir. Trav. 2018-06-26 2018-08-20
6.5
None Remote Low Single system Partial Partial Partial
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
24 CVE-2018-10102 79 XSS 2018-04-16 2018-05-18
4.3
None Remote Medium Not required None Partial None
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
25 CVE-2018-10101 601 2018-04-16 2018-06-02
5.8
None Remote Medium Not required Partial Partial None
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
26 CVE-2018-10100 601 2018-04-16 2018-05-18
5.8
None Remote Medium Not required Partial Partial None
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
27 CVE-2018-6389 399 DoS 2018-02-06 2018-03-05
5.0
None Remote Low Not required None None Partial
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
28 CVE-2018-5776 79 XSS 2018-01-18 2018-02-01
4.3
None Remote Medium Not required None Partial None
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
29 CVE-2017-1001000 264 2017-04-02 2017-07-24
5.0
None Remote Low Not required None Partial None
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.
30 CVE-2017-1000600 20 Exec Code 2018-09-06 2018-10-26
6.5
None Remote Low Single system Partial Partial Partial
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9
31 CVE-2017-17091 284 Bypass 2017-12-02 2018-02-03
6.5
None Remote Low Single system Partial Partial Partial
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.
32 CVE-2017-16510 89 Sql 2017-11-02 2018-02-03
7.5
None Remote Low Not required Partial Partial Partial
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
33 CVE-2017-14990 200 Sql +Info 2017-10-02 2019-05-10
4.0
None Remote Low Single system Partial None None
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).
34 CVE-2017-14726 79 XSS 2017-09-23 2017-11-09
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
35 CVE-2017-14725 601 2017-09-23 2017-11-09
4.9
None Remote Medium Single system Partial Partial None
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.
36 CVE-2017-14724 79 XSS 2017-09-23 2017-11-09
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
37 CVE-2017-14723 89 Sql 2017-09-23 2017-11-09
7.5
None Remote Low Not required Partial Partial Partial
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
38 CVE-2017-14722 22 Dir. Trav. 2017-09-23 2017-11-09
5.0
None Remote Low Not required Partial None None
Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.
39 CVE-2017-14721 79 XSS 2017-09-23 2017-11-09
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
40 CVE-2017-14720 79 XSS 2017-09-23 2017-11-09
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
41 CVE-2017-14719 22 Dir. Trav. 2017-09-23 2017-11-09
5.0
None Remote Low Not required Partial None None
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
42 CVE-2017-14718 79 XSS 2017-09-23 2017-11-09
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.
43 CVE-2017-9066 918 2017-05-18 2018-01-18
5.0
None Remote Low Not required None Partial None
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.
44 CVE-2017-9065 20 2017-05-18 2017-11-03
5.0
None Remote Low Not required None Partial None
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
45 CVE-2017-9064 352 CSRF 2017-05-18 2017-11-03
6.8
None Remote Medium Not required Partial Partial Partial
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
46 CVE-2017-9063 79 XSS 2017-05-18 2017-11-03
4.3
None Remote Medium Not required None Partial None
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
47 CVE-2017-9062 19 2017-05-18 2017-11-03
5.0
None Remote Low Not required None Partial None
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
48 CVE-2017-9061 79 XSS 2017-05-18 2017-11-03
4.3
None Remote Medium Not required None Partial None
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
49 CVE-2017-8295 640 2017-05-04 2017-11-03
4.3
None Remote Medium Not required None Partial None
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
50 CVE-2017-6819 352 CSRF 2017-03-11 2017-07-17
4.3
None Remote Medium Not required None None Partial
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.
Total number of vulnerabilities : 286   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.