| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-4448 |
352 |
1
|
CSRF |
2012-09-28 |
2012-10-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. |
|
2 |
CVE-2012-4271 |
79 |
1
|
XSS |
2012-08-13 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wordpress-admin.php in the Bad Behavior plugin before 2.0.47 and 2.2.x before 2.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) httpbl_key, (3) httpbl_maxage, (4) httpbl_threat, (5) reverse_proxy_addresses, or (6) reverse_proxy_header parameter. |
|
3 |
CVE-2012-1936 |
352 |
1
|
CSRF |
2012-05-03 |
2017-12-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations. |
|
4 |
CVE-2012-0937 |
|
1
|
DoS |
2012-01-30 |
2012-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time. |
|
5 |
CVE-2012-0782 |
79 |
1
|
XSS |
2012-01-30 |
2012-01-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance. |
|
6 |
CVE-2011-4899 |
|
1
|
Exec Code Sql XSS |
2012-01-30 |
2012-01-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments. |
|
7 |
CVE-2011-4898 |
200 |
1
|
+Info |
2012-01-30 |
2012-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective. |
|
8 |
CVE-2009-2762 |
255 |
1
|
Bypass |
2009-08-13 |
2017-11-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. |
|
9 |
CVE-2009-2334 |
287 |
1
|
DoS XSS +Info |
2009-07-10 |
2018-10-10 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service. |
|
10 |
CVE-2007-2821 |
|
1
|
Exec Code Sql |
2007-05-22 |
2018-10-16 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. |
|
11 |
CVE-2019-16223 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
|
12 |
CVE-2019-16222 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
|
13 |
CVE-2019-16221 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows reflected XSS in the dashboard. |
|
14 |
CVE-2019-16220 |
601 |
|
|
2019-09-11 |
2019-09-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. |
|
15 |
CVE-2019-16219 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in shortcode previews. |
|
16 |
CVE-2019-16218 |
79 |
|
XSS |
2019-09-11 |
2019-09-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in stored comments. |
|
17 |
CVE-2019-16217 |
79 |
|
XSS |
2019-09-11 |
2019-09-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
|
18 |
CVE-2019-9787 |
352 |
|
Exec Code XSS CSRF |
2019-03-14 |
2019-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
|
19 |
CVE-2019-8943 |
22 |
|
Dir. Trav. |
2019-02-19 |
2019-04-25 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. |
|
20 |
CVE-2019-8942 |
94 |
|
Exec Code |
2019-02-19 |
2019-04-25 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. |
|
21 |
CVE-2018-1000773 |
20 |
|
Exec Code |
2018-09-06 |
2018-11-14 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. |
|
22 |
CVE-2018-20153 |
79 |
|
XSS |
2018-12-14 |
2019-01-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
|
23 |
CVE-2018-20152 |
20 |
|
Bypass |
2018-12-14 |
2019-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
|
24 |
CVE-2018-20151 |
200 |
|
+Info |
2018-12-14 |
2019-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. |
|
25 |
CVE-2018-20150 |
79 |
|
XSS |
2018-12-14 |
2019-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
|
26 |
CVE-2018-20149 |
79 |
|
XSS Bypass |
2018-12-14 |
2019-01-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. |
|
27 |
CVE-2018-20148 |
502 |
|
|
2018-12-14 |
2019-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. |
|
28 |
CVE-2018-20147 |
287 |
|
Bypass |
2018-12-14 |
2019-10-02 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
|
29 |
CVE-2018-14028 |
434 |
|
Exec Code |
2018-08-10 |
2018-10-10 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins. |
|
30 |
CVE-2018-12895 |
22 |
|
Exec Code Dir. Trav. |
2018-06-26 |
2018-08-20 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges. |
|
31 |
CVE-2018-10102 |
79 |
|
XSS |
2018-04-16 |
2018-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. |
|
32 |
CVE-2018-10101 |
601 |
|
|
2018-04-16 |
2018-06-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
|
33 |
CVE-2018-10100 |
601 |
|
|
2018-04-16 |
2018-05-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. |
|
34 |
CVE-2018-6389 |
399 |
|
DoS |
2018-02-06 |
2018-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. |
|
35 |
CVE-2018-5776 |
79 |
|
XSS |
2018-01-18 |
2018-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
|
36 |
CVE-2017-1001000 |
|
|
|
2017-04-02 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. |
|
37 |
CVE-2017-1000600 |
20 |
|
Exec Code |
2018-09-06 |
2018-10-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
|
38 |
CVE-2017-17091 |
330 |
|
Bypass |
2017-12-02 |
2019-10-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. |
|
39 |
CVE-2017-16510 |
89 |
|
Sql |
2017-11-02 |
2018-02-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. |
|
40 |
CVE-2017-14990 |
312 |
|
Sql |
2017-10-02 |
2019-10-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). |
|
41 |
CVE-2017-14726 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. |
|
42 |
CVE-2017-14725 |
601 |
|
|
2017-09-23 |
2017-11-09 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. |
|
43 |
CVE-2017-14724 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
|
44 |
CVE-2017-14723 |
89 |
|
Sql |
2017-09-23 |
2017-11-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. |
|
45 |
CVE-2017-14722 |
22 |
|
Dir. Trav. |
2017-09-23 |
2017-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. |
|
46 |
CVE-2017-14721 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. |
|
47 |
CVE-2017-14720 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. |
|
48 |
CVE-2017-14719 |
22 |
|
Dir. Trav. |
2017-09-23 |
2017-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. |
|
49 |
CVE-2017-14718 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. |
|
50 |
CVE-2017-9066 |
918 |
|
|
2017-05-18 |
2018-01-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
