# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2021-39200 |
200 |
|
+Info |
2021-09-09 |
2021-12-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. |
2 |
CVE-2021-29450 |
200 |
|
+Info |
2021-04-15 |
2021-04-23 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix. |
3 |
CVE-2021-29447 |
611 |
|
|
2021-04-15 |
2022-10-27 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled. |
4 |
CVE-2020-28040 |
352 |
|
CSRF |
2020-11-02 |
2022-06-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image. |
5 |
CVE-2020-28038 |
79 |
|
XSS |
2020-11-02 |
2022-06-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.5.2 allows stored XSS via post slugs. |
6 |
CVE-2020-28034 |
79 |
|
XSS |
2020-11-02 |
2022-06-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.5.2 allows XSS associated with global variables. |
7 |
CVE-2020-11029 |
79 |
|
XSS |
2020-04-30 |
2020-05-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
8 |
CVE-2020-11028 |
306 |
|
|
2020-04-30 |
2021-09-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
9 |
CVE-2020-4048 |
601 |
|
|
2020-06-12 |
2020-09-11 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
10 |
CVE-2019-20042 |
79 |
|
XSS |
2019-12-27 |
2023-01-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
11 |
CVE-2019-17672 |
79 |
|
XSS |
2019-10-17 |
2020-01-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. |
12 |
CVE-2019-16222 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
13 |
CVE-2019-16221 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.2.3 allows reflected XSS in the dashboard. |
14 |
CVE-2019-16219 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.2.3 allows XSS in shortcode previews. |
15 |
CVE-2019-16218 |
79 |
|
XSS |
2019-09-11 |
2019-09-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.2.3 allows XSS in stored comments. |
16 |
CVE-2019-16217 |
79 |
|
XSS |
2019-09-11 |
2019-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
17 |
CVE-2019-8943 |
22 |
|
Dir. Trav. |
2019-02-20 |
2021-02-23 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. |
18 |
CVE-2018-20152 |
20 |
|
Bypass |
2018-12-14 |
2019-03-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
19 |
CVE-2018-20150 |
79 |
|
XSS |
2018-12-14 |
2019-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
20 |
CVE-2018-10102 |
79 |
|
XSS |
2018-04-16 |
2018-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. |
21 |
CVE-2018-5776 |
79 |
|
XSS |
2018-01-18 |
2018-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
22 |
CVE-2017-14990 |
312 |
|
Sql |
2017-10-03 |
2019-10-03 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). |
23 |
CVE-2017-14726 |
79 |
|
XSS |
2017-09-23 |
2017-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. |
24 |
CVE-2017-14725 |
601 |
|
|
2017-09-23 |
2017-11-10 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. |
25 |
CVE-2017-14724 |
79 |
|
XSS |
2017-09-23 |
2017-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
26 |
CVE-2017-14721 |
79 |
|
XSS |
2017-09-23 |
2017-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. |
27 |
CVE-2017-14720 |
79 |
|
XSS |
2017-09-23 |
2017-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. |
28 |
CVE-2017-14718 |
79 |
|
XSS |
2017-09-23 |
2017-11-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. |
29 |
CVE-2017-9063 |
79 |
|
XSS |
2017-05-18 |
2019-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. |
30 |
CVE-2017-9061 |
79 |
|
XSS |
2017-05-18 |
2019-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. |
31 |
CVE-2017-8295 |
640 |
|
|
2017-05-04 |
2017-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message. |
32 |
CVE-2017-6819 |
352 |
|
CSRF |
2017-03-12 |
2019-03-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. |
33 |
CVE-2017-6818 |
79 |
|
XSS |
2017-03-12 |
2019-03-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. |
34 |
CVE-2017-5612 |
79 |
|
XSS |
2017-01-30 |
2019-03-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. |
35 |
CVE-2017-5490 |
79 |
|
XSS |
2017-01-15 |
2017-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php. |
36 |
CVE-2017-5488 |
79 |
|
XSS |
2017-01-15 |
2017-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin. |
37 |
CVE-2016-10148 |
254 |
|
Bypass |
2017-01-18 |
2017-03-16 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. |
38 |
CVE-2016-6897 |
352 |
|
CSRF |
2017-01-18 |
2017-09-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. |
39 |
CVE-2016-6634 |
79 |
|
XSS |
2016-08-07 |
2017-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
40 |
CVE-2016-5834 |
79 |
|
XSS |
2016-06-29 |
2016-11-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. |
41 |
CVE-2016-5833 |
79 |
|
XSS |
2016-06-29 |
2016-11-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. |
42 |
CVE-2016-4567 |
79 |
|
XSS |
2016-05-22 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." |
43 |
CVE-2016-4566 |
79 |
|
XSS |
2016-05-22 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. |
44 |
CVE-2016-1564 |
79 |
|
XSS |
2016-05-22 |
2017-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. |
45 |
CVE-2015-8834 |
79 |
|
XSS |
2016-05-22 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440. |
46 |
CVE-2015-5734 |
79 |
|
XSS |
2015-11-09 |
2017-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string. |
47 |
CVE-2015-5733 |
79 |
|
XSS |
2015-11-09 |
2017-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. |
48 |
CVE-2015-5732 |
79 |
|
XSS |
2015-11-09 |
2017-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title. |
49 |
CVE-2015-5715 |
264 |
|
Bypass |
2016-05-22 |
2017-11-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors. |
50 |
CVE-2015-5714 |
79 |
|
XSS |
2016-05-22 |
2017-11-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. |