| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-16223 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
|
2 |
CVE-2018-20153 |
79 |
|
XSS |
2018-12-14 |
2019-01-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
|
3 |
CVE-2018-20149 |
79 |
|
XSS Bypass |
2018-12-14 |
2019-01-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. |
|
4 |
CVE-2017-6817 |
79 |
|
XSS |
2017-03-11 |
2017-11-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. |
|
5 |
CVE-2017-6814 |
79 |
|
XSS |
2017-03-11 |
2017-11-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js. |
|
6 |
CVE-2016-7168 |
79 |
|
XSS |
2017-01-04 |
2017-11-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. |
|
7 |
CVE-2015-7989 |
79 |
|
XSS |
2016-05-21 |
2017-11-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714. |
|
8 |
CVE-2015-5622 |
79 |
|
XSS |
2015-08-03 |
2017-11-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php. |
|
9 |
CVE-2013-5739 |
79 |
|
XSS |
2013-09-12 |
2013-09-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. |
|
10 |
CVE-2013-4340 |
264 |
|
|
2013-09-12 |
2013-10-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. |
|
11 |
CVE-2012-4422 |
264 |
|
|
2012-09-14 |
2012-09-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. |
|
12 |
CVE-2011-0700 |
79 |
|
XSS |
2011-03-14 |
2017-11-21 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. |
|
13 |
CVE-2009-3891 |
79 |
|
XSS |
2009-11-17 |
2017-11-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable). |
|
14 |
CVE-2007-1732 |
79 |
|
XSS |
2007-03-28 |
2016-11-21 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: another researcher disputes this issue, stating that this is legitimate functionality for administrators. However, it has been patched by at least one vendor. |
