# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2022-21663 |
74 |
|
Bypass |
2022-01-06 |
2022-04-12 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. |
2 |
CVE-2021-39203 |
863 |
|
Bypass |
2021-09-09 |
2021-09-24 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release. |
3 |
CVE-2021-39201 |
79 |
|
XSS Bypass |
2021-09-09 |
2021-12-14 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress) |
4 |
CVE-2019-20043 |
269 |
|
Bypass |
2019-12-27 |
2020-01-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. |
5 |
CVE-2019-20041 |
20 |
|
Bypass |
2019-12-27 |
2020-01-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. |
6 |
CVE-2018-20152 |
20 |
|
Bypass |
2018-12-14 |
2019-03-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
7 |
CVE-2018-20149 |
79 |
|
XSS Bypass |
2018-12-14 |
2019-03-04 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. |
8 |
CVE-2018-20147 |
863 |
|
Bypass |
2018-12-14 |
2020-08-24 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
9 |
CVE-2017-17091 |
330 |
|
Bypass |
2017-12-02 |
2019-10-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. |
10 |
CVE-2017-5610 |
200 |
|
Bypass +Info |
2017-01-30 |
2019-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. |
11 |
CVE-2017-5493 |
338 |
|
Bypass |
2017-01-15 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. |
12 |
CVE-2017-5491 |
1188 |
|
Bypass |
2017-01-15 |
2019-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. |
13 |
CVE-2016-10148 |
254 |
|
Bypass |
2017-01-18 |
2017-03-16 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. |
14 |
CVE-2016-5839 |
|
|
Bypass |
2016-06-29 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. |
15 |
CVE-2016-5838 |
255 |
|
Bypass |
2016-06-29 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. |
16 |
CVE-2016-5837 |
|
|
Bypass |
2016-06-29 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. |
17 |
CVE-2016-5832 |
|
|
Bypass |
2016-06-29 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. |
18 |
CVE-2016-4029 |
285 |
|
Bypass |
2016-08-07 |
2017-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. |
19 |
CVE-2015-5715 |
264 |
|
Bypass |
2016-05-22 |
2017-11-04 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors. |
20 |
CVE-2015-5623 |
284 |
|
Bypass |
2015-08-03 |
2017-09-21 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php. |
21 |
CVE-2014-5205 |
352 |
|
Bypass CSRF |
2014-08-18 |
2014-11-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
22 |
CVE-2014-5204 |
352 |
|
Bypass CSRF |
2014-08-18 |
2015-11-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. |
23 |
CVE-2013-4339 |
20 |
|
Bypass |
2013-09-12 |
2013-12-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. |
24 |
CVE-2013-2205 |
79 |
|
XSS Bypass |
2013-07-08 |
2016-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. |
25 |
CVE-2013-2200 |
264 |
|
Bypass |
2013-07-08 |
2013-08-13 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors. |
26 |
CVE-2012-6634 |
264 |
|
Bypass +Info |
2014-01-21 |
2014-02-25 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value. |
27 |
CVE-2012-4421 |
264 |
|
Bypass |
2012-09-14 |
2012-09-17 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. |
28 |
CVE-2012-3383 |
264 |
|
XSS Bypass |
2012-07-22 |
2012-09-18 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text. |
29 |
CVE-2012-2402 |
264 |
|
Bypass |
2012-04-21 |
2017-12-19 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. |
30 |
CVE-2012-2401 |
264 |
|
Bypass |
2012-04-21 |
2017-12-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. |
31 |
CVE-2010-5297 |
264 |
|
Bypass |
2014-01-21 |
2014-01-21 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. |
32 |
CVE-2010-5296 |
264 |
|
Bypass |
2014-01-21 |
2014-01-21 |
4.9 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
None |
wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action. |
33 |
CVE-2010-5293 |
264 |
|
Bypass |
2014-01-21 |
2014-01-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. |
34 |
CVE-2010-5106 |
264 |
|
Bypass |
2012-09-14 |
2012-09-17 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. |
35 |
CVE-2009-2762 |
255 |
1
|
Bypass |
2009-08-13 |
2017-11-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array. |
36 |
CVE-2008-7216 |
264 |
|
Bypass |
2009-09-11 |
2018-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Peter's Math Anti-Spam Spinoff plugin for WordPress generates audio CAPTCHA clips by concatenating static audio files without any additional distortion, which allows remote attackers to bypass CAPTCHA protection by reading certain bytes from the generated clip. |
37 |
CVE-2008-4616 |
20 |
|
Bypass |
2008-10-20 |
2018-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The SpamBam plugin for WordPress allows remote attackers to bypass restrictions and add blog comments by using server-supplied values to calculate a shared key. |
38 |
CVE-2008-2146 |
264 |
|
Bypass |
2008-05-12 |
2017-08-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. |
39 |
CVE-2007-6013 |
287 |
|
Bypass |
2007-11-19 |
2018-10-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash. |
40 |
CVE-2007-1893 |
264 |
|
Bypass |
2007-04-09 |
2017-07-29 |
4.9 |
None |
Local Network |
Medium |
??? |
Partial |
Partial |
Partial |
xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." |
41 |
CVE-2007-0107 |
|
|
Exec Code Sql Bypass |
2007-01-09 |
2018-10-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. |