# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-21661 |
89 |
|
Sql |
2022-01-06 |
2022-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. |
2 |
CVE-2020-28033 |
|
|
|
2020-11-02 |
2022-06-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. |
3 |
CVE-2020-25286 |
|
|
|
2020-09-13 |
2020-09-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. |
4 |
CVE-2020-11027 |
640 |
|
|
2020-04-30 |
2020-05-11 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
None |
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). |
5 |
CVE-2019-20043 |
269 |
|
Bypass |
2019-12-27 |
2023-01-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
6 |
CVE-2019-17673 |
|
|
|
2019-10-17 |
2022-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header. |
7 |
CVE-2019-17671 |
200 |
|
+Info |
2019-10-17 |
2019-11-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. |
8 |
CVE-2019-16220 |
601 |
|
|
2019-09-11 |
2019-09-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. |
9 |
CVE-2018-20151 |
200 |
|
+Info |
2018-12-14 |
2019-03-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. |
10 |
CVE-2018-20147 |
863 |
|
Bypass |
2018-12-14 |
2020-08-24 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
11 |
CVE-2018-10101 |
601 |
|
|
2018-04-16 |
2019-03-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
12 |
CVE-2018-10100 |
601 |
|
|
2018-04-16 |
2018-05-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. |
13 |
CVE-2018-6389 |
400 |
|
DoS |
2018-02-06 |
2019-03-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. |
14 |
CVE-2017-1001000 |
|
|
|
2017-04-03 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. |
15 |
CVE-2017-14722 |
22 |
|
Dir. Trav. |
2017-09-23 |
2017-11-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. |
16 |
CVE-2017-14719 |
22 |
|
Dir. Trav. |
2017-09-23 |
2017-11-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. |
17 |
CVE-2017-9066 |
918 |
|
|
2017-05-18 |
2019-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
18 |
CVE-2017-9065 |
20 |
|
|
2017-05-18 |
2019-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. |
19 |
CVE-2017-9062 |
352 |
|
|
2017-05-18 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. |
20 |
CVE-2017-6816 |
863 |
|
|
2017-03-12 |
2019-10-03 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. |
21 |
CVE-2017-6815 |
20 |
|
|
2017-03-12 |
2019-03-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. |
22 |
CVE-2017-6514 |
200 |
|
+Info |
2019-05-22 |
2019-05-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring. |
23 |
CVE-2017-5610 |
200 |
|
Bypass +Info |
2017-01-30 |
2019-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. |
24 |
CVE-2017-5493 |
338 |
|
Bypass |
2017-01-15 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. |
25 |
CVE-2017-5491 |
1188 |
|
Bypass |
2017-01-15 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. |
26 |
CVE-2017-5487 |
200 |
|
+Info |
2017-01-15 |
2017-09-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. |
27 |
CVE-2016-6896 |
22 |
|
DoS Dir. Trav. |
2017-01-18 |
2017-09-03 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. |
28 |
CVE-2016-5839 |
|
|
Bypass |
2016-06-29 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. |
29 |
CVE-2016-5838 |
255 |
|
Bypass |
2016-06-29 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. |
30 |
CVE-2016-5837 |
|
|
Bypass |
2016-06-29 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. |
31 |
CVE-2016-5836 |
|
|
DoS |
2016-06-29 |
2018-07-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
32 |
CVE-2016-5835 |
200 |
|
+Info |
2016-06-29 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. |
33 |
CVE-2016-5832 |
|
|
Bypass |
2016-06-29 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. |
34 |
CVE-2016-4029 |
285 |
|
Bypass |
2016-08-07 |
2017-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. |
35 |
CVE-2016-2222 |
|
|
|
2016-05-22 |
2017-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php. |
36 |
CVE-2016-2221 |
|
|
|
2016-05-22 |
2017-11-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL. |
37 |
CVE-2015-5730 |
200 |
|
+Info |
2015-11-09 |
2017-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated. |
38 |
CVE-2014-9034 |
19 |
|
DoS |
2014-11-25 |
2016-04-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016. |
39 |
CVE-2014-6412 |
640 |
|
|
2018-04-12 |
2018-05-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. |
40 |
CVE-2014-5266 |
399 |
|
DoS |
2014-08-18 |
2015-11-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. |
41 |
CVE-2014-5265 |
399 |
|
DoS |
2014-08-18 |
2015-11-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. |
42 |
CVE-2012-6707 |
326 |
|
|
2017-10-19 |
2017-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. |
43 |
CVE-2012-3385 |
264 |
|
+Info |
2012-07-22 |
2012-07-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors. |
44 |
CVE-2012-2402 |
264 |
|
Bypass |
2012-04-21 |
2017-12-19 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. |
45 |
CVE-2012-2401 |
264 |
|
Bypass |
2012-04-21 |
2017-12-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. |
46 |
CVE-2012-0937 |
|
1
|
DoS |
2012-01-30 |
2012-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time. |
47 |
CVE-2011-4957 |
20 |
|
DoS |
2012-06-27 |
2012-06-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. |
48 |
CVE-2011-4898 |
200 |
1
|
+Info |
2012-01-30 |
2012-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective. |
49 |
CVE-2011-3818 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files. |
50 |
CVE-2011-3128 |
200 |
|
+Info |
2011-08-10 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php. |