# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2018-6389 |
399 |
|
DoS |
2018-02-06 |
2018-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. |
2 |
CVE-2017-1001000 |
264 |
|
|
2017-04-02 |
2017-07-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. |
3 |
CVE-2017-17091 |
284 |
|
Bypass |
2017-12-02 |
2018-02-03 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. |
4 |
CVE-2017-16510 |
89 |
|
Sql |
2017-11-02 |
2018-02-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. |
5 |
CVE-2017-14723 |
89 |
|
Sql |
2017-09-23 |
2017-11-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. |
6 |
CVE-2017-14722 |
22 |
|
Dir. Trav. |
2017-09-23 |
2017-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. |
7 |
CVE-2017-14719 |
22 |
|
Dir. Trav. |
2017-09-23 |
2017-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. |
8 |
CVE-2017-9066 |
918 |
|
|
2017-05-18 |
2018-01-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
9 |
CVE-2017-9065 |
20 |
|
|
2017-05-18 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. |
10 |
CVE-2017-9064 |
352 |
|
CSRF |
2017-05-18 |
2017-11-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. |
11 |
CVE-2017-9062 |
19 |
|
|
2017-05-18 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. |
12 |
CVE-2017-6815 |
20 |
|
|
2017-03-11 |
2017-11-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. |
13 |
CVE-2017-5611 |
89 |
|
Exec Code Sql |
2017-01-29 |
2017-11-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. |
14 |
CVE-2017-5610 |
200 |
|
Bypass +Info |
2017-01-29 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. |
15 |
CVE-2017-5493 |
310 |
|
Bypass |
2017-01-14 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. |
16 |
CVE-2017-5492 |
352 |
|
CSRF |
2017-01-14 |
2017-11-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php. |
17 |
CVE-2017-5491 |
254 |
|
Bypass |
2017-01-14 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. |
18 |
CVE-2017-5489 |
352 |
|
CSRF |
2017-01-14 |
2017-11-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. |
19 |
CVE-2017-5487 |
200 |
|
+Info |
2017-01-14 |
2017-08-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. |
20 |
CVE-2016-7169 |
22 |
|
Dir. Trav. |
2017-01-04 |
2017-11-03 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. |
21 |
CVE-2016-6896 |
22 |
|
DoS Dir. Trav. |
2017-01-18 |
2017-09-02 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. |
22 |
CVE-2016-6635 |
352 |
|
CSRF |
2016-08-07 |
2017-11-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. |
23 |
CVE-2016-5839 |
|
|
Bypass |
2016-06-29 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. |
24 |
CVE-2016-5838 |
255 |
|
Bypass |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. |
25 |
CVE-2016-5837 |
|
|
Bypass |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. |
26 |
CVE-2016-5836 |
|
|
DoS |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
27 |
CVE-2016-5835 |
200 |
|
+Info |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. |
28 |
CVE-2016-5832 |
|
|
Bypass |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. |
29 |
CVE-2016-4029 |
285 |
|
Bypass |
2016-08-07 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. |
30 |
CVE-2016-2222 |
|
|
|
2016-05-21 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php. |
31 |
CVE-2016-2221 |
|
|
|
2016-05-21 |
2017-11-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL. |
32 |
CVE-2015-5731 |
352 |
|
DoS CSRF |
2015-11-09 |
2017-11-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action. |
33 |
CVE-2015-5730 |
200 |
|
+Info |
2015-11-09 |
2017-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated. |
34 |
CVE-2015-2213 |
89 |
|
Exec Code Sql |
2015-11-09 |
2017-11-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash. |
35 |
CVE-2014-9038 |
20 |
|
|
2014-11-25 |
2015-10-05 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource. |
36 |
CVE-2014-9037 |
310 |
|
|
2014-11-25 |
2015-04-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. |
37 |
CVE-2014-9034 |
19 |
|
DoS |
2014-11-25 |
2016-04-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016. |
38 |
CVE-2014-9033 |
352 |
|
CSRF |
2014-11-25 |
2015-11-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. |
39 |
CVE-2014-5266 |
399 |
|
DoS |
2014-08-18 |
2015-11-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. |
40 |
CVE-2014-5265 |
399 |
|
DoS |
2014-08-18 |
2015-11-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. |
41 |
CVE-2014-5205 |
352 |
|
Bypass CSRF |
2014-08-18 |
2014-11-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
42 |
CVE-2014-5204 |
352 |
|
Bypass CSRF |
2014-08-18 |
2015-11-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
43 |
CVE-2014-5203 |
|
|
Exec Code |
2014-08-18 |
2014-08-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data. |
44 |
CVE-2014-0166 |
287 |
|
|
2014-04-09 |
2017-12-15 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. |
45 |
CVE-2013-7240 |
22 |
|
Dir. Trav. |
2014-01-03 |
2014-02-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter. |
46 |
CVE-2013-7233 |
352 |
|
CSRF |
2013-12-29 |
2013-12-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. |
47 |
CVE-2013-4339 |
20 |
|
Bypass |
2013-09-12 |
2013-12-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. |
48 |
CVE-2013-4338 |
94 |
|
Exec Code |
2013-09-12 |
2013-10-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. |
49 |
CVE-2013-0235 |
|
|
|
2013-07-08 |
2013-07-08 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. |
50 |
CVE-2012-6707 |
326 |
|
|
2017-10-19 |
2017-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. |