| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-16220 |
601 |
|
|
2019-09-11 |
2019-09-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. |
|
2 |
CVE-2018-20152 |
20 |
|
Bypass |
2018-12-14 |
2019-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
|
3 |
CVE-2018-20151 |
200 |
|
+Info |
2018-12-14 |
2019-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. |
|
4 |
CVE-2018-20147 |
287 |
|
Bypass |
2018-12-14 |
2019-10-02 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
|
5 |
CVE-2018-10101 |
601 |
|
|
2018-04-16 |
2018-06-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
|
6 |
CVE-2018-10100 |
601 |
|
|
2018-04-16 |
2018-05-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. |
|
7 |
CVE-2018-6389 |
399 |
|
DoS |
2018-02-06 |
2018-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. |
|
8 |
CVE-2017-1001000 |
|
|
|
2017-04-02 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. |
|
9 |
CVE-2017-14722 |
22 |
|
Dir. Trav. |
2017-09-23 |
2017-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. |
|
10 |
CVE-2017-14719 |
22 |
|
Dir. Trav. |
2017-09-23 |
2017-11-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. |
|
11 |
CVE-2017-9066 |
918 |
|
|
2017-05-18 |
2018-01-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |
|
12 |
CVE-2017-9065 |
20 |
|
|
2017-05-18 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. |
|
13 |
CVE-2017-9062 |
352 |
|
|
2017-05-18 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. |
|
14 |
CVE-2017-6816 |
863 |
|
|
2017-03-11 |
2019-10-02 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. |
|
15 |
CVE-2017-6815 |
20 |
|
|
2017-03-11 |
2017-11-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. |
|
16 |
CVE-2017-6514 |
200 |
|
+Info |
2019-05-22 |
2019-05-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring. |
|
17 |
CVE-2017-5610 |
200 |
|
Bypass +Info |
2017-01-29 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. |
|
18 |
CVE-2017-5493 |
338 |
|
Bypass |
2017-01-14 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. |
|
19 |
CVE-2017-5491 |
1188 |
|
Bypass |
2017-01-14 |
2019-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. |
|
20 |
CVE-2017-5487 |
200 |
|
+Info |
2017-01-14 |
2017-08-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. |
|
21 |
CVE-2016-6896 |
22 |
|
DoS Dir. Trav. |
2017-01-18 |
2017-09-02 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
None |
Partial |
|
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. |
|
22 |
CVE-2016-5839 |
|
|
Bypass |
2016-06-29 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. |
|
23 |
CVE-2016-5838 |
255 |
|
Bypass |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. |
|
24 |
CVE-2016-5837 |
|
|
Bypass |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. |
|
25 |
CVE-2016-5836 |
|
|
DoS |
2016-06-29 |
2018-07-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. |
|
26 |
CVE-2016-5835 |
200 |
|
+Info |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. |
|
27 |
CVE-2016-5832 |
|
|
Bypass |
2016-06-29 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. |
|
28 |
CVE-2016-4029 |
285 |
|
Bypass |
2016-08-07 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. |
|
29 |
CVE-2016-2222 |
|
|
|
2016-05-21 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php. |
|
30 |
CVE-2016-2221 |
|
|
|
2016-05-21 |
2017-11-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL. |
|
31 |
CVE-2015-5730 |
200 |
|
+Info |
2015-11-09 |
2017-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated. |
|
32 |
CVE-2014-9034 |
19 |
|
DoS |
2014-11-25 |
2016-04-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016. |
|
33 |
CVE-2014-6412 |
640 |
|
|
2018-04-12 |
2018-05-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. |
|
34 |
CVE-2014-5266 |
399 |
|
DoS |
2014-08-18 |
2015-11-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. |
|
35 |
CVE-2014-5265 |
399 |
|
DoS |
2014-08-18 |
2015-11-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. |
|
36 |
CVE-2013-7240 |
22 |
|
Dir. Trav. |
2014-01-03 |
2014-02-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter. |
|
37 |
CVE-2012-6707 |
326 |
|
|
2017-10-19 |
2017-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. |
|
38 |
CVE-2012-3588 |
22 |
1
|
Dir. Trav. |
2012-06-19 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in preview.php in the Plugin Newsletter plugin 1.5 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the data parameter. |
|
39 |
CVE-2012-3385 |
264 |
|
+Info |
2012-07-22 |
2012-07-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors. |
|
40 |
CVE-2012-2402 |
264 |
|
Bypass |
2012-04-21 |
2017-12-18 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. |
|
41 |
CVE-2012-2401 |
264 |
|
Bypass |
2012-04-21 |
2017-12-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. |
|
42 |
CVE-2012-0937 |
|
1
|
DoS |
2012-01-30 |
2012-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time. |
|
43 |
CVE-2011-4957 |
20 |
|
DoS |
2012-06-27 |
2012-06-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. |
|
44 |
CVE-2011-4898 |
200 |
1
|
+Info |
2012-01-30 |
2012-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective. |
|
45 |
CVE-2011-3818 |
200 |
|
+Info |
2011-09-23 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files. |
|
46 |
CVE-2011-3128 |
200 |
|
+Info |
2011-08-10 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 treats unattached attachments as published, which might allow remote attackers to obtain sensitive data via vectors related to wp-includes/post.php. |
|
47 |
CVE-2011-3127 |
20 |
|
|
2011-08-10 |
2017-08-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. |
|
48 |
CVE-2011-3126 |
200 |
|
+Info |
2011-08-10 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects. |
|
49 |
CVE-2010-5293 |
264 |
|
Bypass |
2014-01-20 |
2014-01-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. |
|
50 |
CVE-2009-2432 |
264 |
|
+Info |
2009-07-10 |
2018-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. |
