# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-21664 |
89 |
|
Sql |
2022-01-06 |
2022-04-12 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
2 |
CVE-2022-21663 |
74 |
|
Bypass |
2022-01-06 |
2022-07-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
3 |
CVE-2021-39203 |
|
|
Bypass |
2021-09-09 |
2022-08-05 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release. |
4 |
CVE-2020-28039 |
|
|
|
2020-11-02 |
2022-06-29 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. |
5 |
CVE-2020-4050 |
288 |
|
|
2020-06-12 |
2020-09-11 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). |
6 |
CVE-2019-17675 |
352 |
|
CSRF |
2019-10-17 |
2023-02-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. |
7 |
CVE-2019-9787 |
352 |
|
Exec Code XSS CSRF |
2019-03-14 |
2019-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
8 |
CVE-2019-8942 |
94 |
|
Exec Code |
2019-02-20 |
2021-07-21 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. |
9 |
CVE-2018-1000773 |
20 |
|
Exec Code |
2018-09-06 |
2018-11-14 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. |
10 |
CVE-2018-19296 |
502 |
|
|
2018-11-16 |
2022-12-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. |
11 |
CVE-2018-14028 |
434 |
|
Exec Code |
2018-08-10 |
2018-10-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins. |
12 |
CVE-2018-12895 |
22 |
|
Exec Code Dir. Trav. |
2018-06-26 |
2021-11-05 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges. |
13 |
CVE-2017-1000600 |
20 |
|
Exec Code |
2018-09-06 |
2018-10-26 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
14 |
CVE-2017-17091 |
330 |
|
Bypass |
2017-12-02 |
2019-10-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. |
15 |
CVE-2017-9064 |
352 |
|
CSRF |
2017-05-18 |
2019-03-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. |
16 |
CVE-2017-5492 |
352 |
|
CSRF |
2017-01-15 |
2017-11-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php. |
17 |
CVE-2017-5489 |
352 |
|
CSRF |
2017-01-15 |
2017-11-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. |
18 |
CVE-2016-7169 |
22 |
|
Dir. Trav. |
2017-01-05 |
2017-11-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. |
19 |
CVE-2016-6635 |
352 |
|
CSRF |
2016-08-07 |
2017-11-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. |
20 |
CVE-2015-5731 |
352 |
|
DoS CSRF |
2015-11-09 |
2017-11-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action. |
21 |
CVE-2014-9038 |
20 |
|
|
2014-11-25 |
2015-10-05 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource. |
22 |
CVE-2014-9037 |
310 |
|
|
2014-11-25 |
2016-06-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. |
23 |
CVE-2014-9033 |
352 |
|
CSRF |
2014-11-25 |
2015-11-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords. |
24 |
CVE-2014-5205 |
352 |
|
Bypass CSRF |
2014-08-18 |
2014-11-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
25 |
CVE-2014-5204 |
352 |
|
Bypass CSRF |
2014-08-18 |
2015-11-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
26 |
CVE-2014-0166 |
287 |
|
|
2014-04-10 |
2017-12-16 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. |
27 |
CVE-2013-7233 |
352 |
|
CSRF |
2013-12-30 |
2013-12-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. |
28 |
CVE-2013-3250 |
352 |
|
CSRF |
2013-06-21 |
2013-06-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the WP Maintenance Mode plugin before 1.8.8 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings. |
29 |
CVE-2013-0235 |
|
|
|
2013-07-08 |
2013-07-08 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. |
30 |
CVE-2012-6634 |
264 |
|
Bypass +Info |
2014-01-21 |
2014-02-25 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value. |
31 |
CVE-2012-4448 |
352 |
1
|
CSRF |
2012-09-28 |
2012-10-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. |
32 |
CVE-2012-3384 |
352 |
|
CSRF |
2012-07-22 |
2012-08-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
33 |
CVE-2012-1936 |
352 |
1
|
CSRF |
2012-05-03 |
2017-12-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations. |
34 |
CVE-2010-5106 |
264 |
|
Bypass |
2012-09-14 |
2012-09-17 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. |
35 |
CVE-2010-4257 |
89 |
|
Exec Code Sql |
2010-12-07 |
2017-11-21 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. |
36 |
CVE-2009-3890 |
94 |
|
Exec Code |
2009-11-17 |
2017-11-21 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename. |
37 |
CVE-2009-2854 |
264 |
|
|
2009-08-18 |
2017-11-22 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
Wordpress before 2.8.3 does not check capabilities for certain actions, which allows remote attackers to make unauthorized edits or additions via a direct request to (1) edit-comments.php, (2) edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5) edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php, (8) import.php, or (9) link-add.php in wp-admin/. |
38 |
CVE-2008-0664 |
264 |
|
|
2008-02-08 |
2011-03-08 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors. |
39 |
CVE-2008-0616 |
89 |
|
Exec Code Sql |
2008-02-06 |
2018-10-15 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
SQL injection vulnerability in the administration panel in the DMSGuestbook 1.7.0 plugin for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. NOTE: it is not clear whether this issue crosses privilege boundaries. |
40 |
CVE-2008-0508 |
352 |
|
XSS CSRF |
2008-01-31 |
2018-10-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka dean_pm_config[oldstructure]) configuration setting as administrators via the old_struct parameter in a deans_permalinks_migration.php action to wp-admin/options-general.php, as demonstrated by placing an XSS sequence in this setting. |
41 |
CVE-2008-0388 |
89 |
|
Exec Code Sql |
2008-01-23 |
2017-09-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the user parameter in a showprofile action to the default URI. |
42 |
CVE-2007-6318 |
89 |
|
Exec Code Sql |
2007-12-12 |
2018-10-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a "\" in a multibyte character. |
43 |
CVE-2007-6013 |
287 |
|
Bypass |
2007-11-19 |
2018-10-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash. |
44 |
CVE-2007-4154 |
|
|
Exec Code Sql |
2007-08-03 |
2017-07-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5) options-privacy.php, (6) options-permalink.php, (7) options-misc.php, and possibly other unspecified components. |
45 |
CVE-2007-3544 |
|
|
Exec Code |
2007-07-03 |
2013-09-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543. |
46 |
CVE-2007-3543 |
|
|
Exec Code |
2007-07-03 |
2008-11-15 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php. |
47 |
CVE-2007-3238 |
|
|
XSS |
2007-06-15 |
2018-10-16 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. |
48 |
CVE-2007-3140 |
|
|
Exec Code Sql |
2007-06-08 |
2017-10-19 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897. |
49 |
CVE-2007-2627 |
|
|
XSS |
2007-05-11 |
2018-10-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress, when custom 404 pages that call get_sidebar are used, allows remote attackers to inject arbitrary web script or HTML via the query string (PHP_SELF), a different vulnerability than CVE-2007-1622. |
50 |
CVE-2007-1897 |
89 |
|
Exec Code Sql |
2007-04-09 |
2017-10-11 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable. |