CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Wordpress : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-29450 200 +Info 2021-04-15 2021-04-23
4.0
None Remote Low ??? Partial None None
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
2 CVE-2021-29447 611 2021-04-15 2021-06-02
4.0
None Remote Low ??? Partial None None
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
3 CVE-2020-36326 502 2021-04-28 2021-05-21
7.5
None Remote Low Not required Partial Partial Partial
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
4 CVE-2020-28040 352 CSRF 2020-11-02 2020-11-11
4.3
None Remote Medium Not required None Partial None
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
5 CVE-2020-28039 2020-11-02 2020-11-11
6.4
None Remote Low Not required None Partial Partial
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
6 CVE-2020-28038 79 XSS 2020-11-02 2020-11-11
4.3
None Remote Medium Not required None Partial None
WordPress before 5.5.2 allows stored XSS via post slugs.
7 CVE-2020-28037 20 DoS Exec Code 2020-11-02 2020-11-11
7.5
None Remote Low Not required Partial Partial Partial
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
8 CVE-2020-28036 269 +Priv 2020-11-02 2020-11-11
7.5
None Remote Low Not required Partial Partial Partial
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
9 CVE-2020-28035 269 +Priv 2020-11-02 2020-11-11
7.5
None Remote Low Not required Partial Partial Partial
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
10 CVE-2020-28034 79 XSS 2020-11-02 2020-11-11
4.3
None Remote Medium Not required None Partial None
WordPress before 5.5.2 allows XSS associated with global variables.
11 CVE-2020-28033 2020-11-02 2020-11-11
5.0
None Remote Low Not required None Partial None
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
12 CVE-2020-28032 502 2020-11-02 2020-11-11
7.5
None Remote Low Not required Partial Partial Partial
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
13 CVE-2020-25286 2020-09-13 2020-09-17
5.0
None Remote Low Not required Partial None None
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.
14 CVE-2020-11030 79 XSS 2020-04-30 2020-05-07
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
15 CVE-2020-11029 79 XSS 2020-04-30 2020-05-11
4.3
None Remote Medium Not required None Partial None
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
16 CVE-2020-11028 200 +Info 2020-04-30 2020-05-11
4.3
None Remote Medium Not required Partial None None
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
17 CVE-2020-11027 640 2020-04-30 2020-05-11
5.5
None Remote Low ??? Partial Partial None
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
18 CVE-2020-11026 79 XSS 2020-04-30 2020-05-11
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
19 CVE-2020-11025 79 Exec Code XSS 2020-04-30 2020-05-07
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
20 CVE-2020-4050 288 2020-06-12 2020-09-11
6.0
None Remote Medium ??? Partial Partial Partial
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
21 CVE-2020-4049 80 XSS 2020-06-12 2020-12-23
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
22 CVE-2020-4048 601 2020-06-12 2020-09-11
4.9
None Remote Medium ??? Partial Partial None
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
23 CVE-2020-4047 80 2020-06-12 2020-09-11
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
24 CVE-2020-4046 80 2020-06-12 2020-07-01
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
25 CVE-2019-20043 269 Bypass 2019-12-27 2020-01-10
5.0
None Remote Low Not required None Partial None
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
26 CVE-2019-20042 79 XSS 2019-12-27 2020-01-10
4.3
None Remote Medium Not required None Partial None
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
27 CVE-2019-20041 20 Bypass 2019-12-27 2020-01-08
7.5
None Remote Low Not required Partial Partial Partial
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
28 CVE-2019-17675 352 CSRF 2019-10-17 2019-11-05
6.8
None Remote Medium Not required Partial Partial Partial
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
29 CVE-2019-17674 79 XSS 2019-10-17 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
30 CVE-2019-17673 20 2019-10-17 2020-01-08
5.0
None Remote Low Not required None Partial None
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
31 CVE-2019-17672 79 XSS 2019-10-17 2020-01-08
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
32 CVE-2019-17671 200 +Info 2019-10-17 2019-11-05
5.0
None Remote Low Not required Partial None None
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
33 CVE-2019-17670 918 2019-10-17 2020-09-11
7.5
None Remote Low Not required Partial Partial Partial
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
34 CVE-2019-17669 918 2019-10-17 2019-11-05
7.5
None Remote Low Not required Partial Partial Partial
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
35 CVE-2019-16781 79 Exec Code XSS 2019-12-26 2020-01-08
3.5
None Remote Medium ??? None Partial None
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
36 CVE-2019-16780 79 Exec Code XSS 2019-12-26 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
37 CVE-2019-16223 79 XSS 2019-09-11 2021-01-04
3.5
None Remote Medium ??? None Partial None
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
38 CVE-2019-16222 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
39 CVE-2019-16221 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows reflected XSS in the dashboard.
40 CVE-2019-16220 601 2019-09-11 2019-09-12
5.8
None Remote Medium Not required Partial Partial None
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.
41 CVE-2019-16219 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in shortcode previews.
42 CVE-2019-16218 79 XSS 2019-09-11 2019-09-15
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in stored comments.
43 CVE-2019-16217 79 XSS 2019-09-11 2019-10-17
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
44 CVE-2019-9787 352 Exec Code XSS CSRF 2019-03-14 2019-03-31
6.8
None Remote Medium Not required Partial Partial Partial
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
45 CVE-2019-8943 22 Dir. Trav. 2019-02-20 2021-02-23
4.0
None Remote Low ??? None Partial None
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
46 CVE-2019-8942 94 Exec Code 2019-02-20 2019-04-25
6.5
None Remote Low ??? Partial Partial Partial
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
47 CVE-2018-1000773 20 Exec Code 2018-09-06 2018-11-14
6.5
None Remote Low ??? Partial Partial Partial
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.
48 CVE-2018-20153 79 XSS 2018-12-14 2019-03-04
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
49 CVE-2018-20152 20 Bypass 2018-12-14 2019-03-04
4.0
None Remote Low ??? None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
50 CVE-2018-20151 200 +Info 2018-12-14 2019-03-04
5.0
None Remote Low Not required Partial None None
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.
Total number of vulnerabilities : 369   Page : 1 (This Page)2 3 4 5 6 7 8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.