| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2018-20150 |
79 |
|
XSS |
2018-12-14 |
2019-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
|
2 |
CVE-2018-10102 |
79 |
|
XSS |
2018-04-16 |
2018-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. |
|
3 |
CVE-2018-5776 |
79 |
|
XSS |
2018-01-18 |
2018-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
|
4 |
CVE-2017-14990 |
200 |
|
Sql +Info |
2017-10-02 |
2017-11-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). |
|
5 |
CVE-2017-14726 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. |
|
6 |
CVE-2017-14725 |
601 |
|
|
2017-09-23 |
2017-11-09 |
4.9 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
None |
|
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. |
|
7 |
CVE-2017-14724 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. |
|
8 |
CVE-2017-14721 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. |
|
9 |
CVE-2017-14720 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. |
|
10 |
CVE-2017-14718 |
79 |
|
XSS |
2017-09-23 |
2017-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. |
|
11 |
CVE-2017-9063 |
79 |
|
XSS |
2017-05-18 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. |
|
12 |
CVE-2017-9061 |
79 |
|
XSS |
2017-05-18 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. |
|
13 |
CVE-2017-8295 |
640 |
|
|
2017-05-04 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message. |
|
14 |
CVE-2017-6819 |
352 |
|
CSRF |
2017-03-11 |
2017-07-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. |
|
15 |
CVE-2017-6818 |
79 |
|
XSS |
2017-03-11 |
2017-07-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. |
|
16 |
CVE-2017-6816 |
284 |
|
|
2017-03-11 |
2017-11-03 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. |
|
17 |
CVE-2017-5612 |
79 |
|
XSS |
2017-01-29 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. |
|
18 |
CVE-2017-5490 |
79 |
|
XSS |
2017-01-14 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php. |
|
19 |
CVE-2017-5488 |
79 |
|
XSS |
2017-01-14 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin. |
|
20 |
CVE-2016-10148 |
284 |
|
Bypass |
2017-01-18 |
2017-03-15 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. |
|
21 |
CVE-2016-6897 |
352 |
|
CSRF |
2017-01-18 |
2017-09-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. |
|
22 |
CVE-2016-6634 |
79 |
|
XSS |
2016-08-07 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
23 |
CVE-2016-5834 |
79 |
|
XSS |
2016-06-29 |
2016-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. |
|
24 |
CVE-2016-5833 |
79 |
|
XSS |
2016-06-29 |
2016-11-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. |
|
25 |
CVE-2016-4567 |
79 |
|
XSS |
2016-05-21 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." |
|
26 |
CVE-2016-4566 |
79 |
|
XSS |
2016-05-21 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. |
|
27 |
CVE-2016-1564 |
79 |
|
XSS |
2016-05-21 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. |
|
28 |
CVE-2015-8834 |
79 |
|
XSS |
2016-05-21 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440. |
|
29 |
CVE-2015-5734 |
79 |
|
XSS |
2015-11-09 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string. |
|
30 |
CVE-2015-5733 |
79 |
|
XSS |
2015-11-09 |
2017-09-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. |
|
31 |
CVE-2015-5732 |
79 |
|
XSS |
2015-11-09 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title. |
|
32 |
CVE-2015-5715 |
264 |
|
Bypass |
2016-05-21 |
2017-11-03 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors. |
|
33 |
CVE-2015-5714 |
79 |
|
XSS |
2016-05-21 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. |
|
34 |
CVE-2015-5623 |
284 |
|
Bypass |
2015-08-03 |
2017-09-20 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php. |
|
35 |
CVE-2015-3440 |
79 |
|
XSS |
2015-08-03 |
2016-12-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. |
|
36 |
CVE-2015-3439 |
79 |
|
Exec Code XSS |
2015-08-05 |
2016-12-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as. |
|
37 |
CVE-2015-3438 |
79 |
|
XSS |
2015-08-04 |
2016-12-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment. |
|
38 |
CVE-2014-9039 |
254 |
|
|
2014-11-25 |
2015-04-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. |
|
39 |
CVE-2014-9036 |
79 |
|
XSS |
2014-11-25 |
2016-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post. |
|
40 |
CVE-2014-9035 |
79 |
|
XSS |
2014-11-25 |
2016-04-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
41 |
CVE-2014-9032 |
79 |
|
XSS |
2014-11-25 |
2015-10-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
42 |
CVE-2014-9031 |
79 |
|
XSS |
2014-11-25 |
2015-10-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post. |
|
43 |
CVE-2014-0165 |
264 |
|
|
2014-04-09 |
2017-12-15 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. |
|
44 |
CVE-2013-5738 |
20 |
|
XSS |
2013-09-12 |
2013-09-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. |
|
45 |
CVE-2013-2205 |
79 |
|
XSS Bypass |
2013-07-08 |
2016-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. |
|
46 |
CVE-2013-2204 |
20 |
|
|
2013-07-08 |
2013-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character. |
|
47 |
CVE-2013-2203 |
264 |
|
+Info |
2013-07-08 |
2013-09-10 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message. |
|
48 |
CVE-2013-2202 |
200 |
|
+Info |
2013-07-08 |
2013-10-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
49 |
CVE-2013-2201 |
79 |
|
XSS |
2013-07-08 |
2013-09-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of media files, (2) editing of media files, (3) installation of plugins, (4) updates to plugins, (5) installation of themes, or (6) updates to themes. |
|
50 |
CVE-2013-2200 |
264 |
|
Bypass |
2013-07-08 |
2013-08-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors. |
