CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Wordpress » Wordpress : Security Vulnerabilities (Cross Site Scripting (XSS))

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2020-28038 79 XSS 2020-11-02 2020-11-11
4.3
None Remote Medium Not required None Partial None
WordPress before 5.5.2 allows stored XSS via post slugs.
2 CVE-2020-28034 79 XSS 2020-11-02 2020-11-11
4.3
None Remote Medium Not required None Partial None
WordPress before 5.5.2 allows XSS associated with global variables.
3 CVE-2020-11030 79 XSS 2020-04-30 2020-05-07
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
4 CVE-2020-11029 79 XSS 2020-04-30 2020-05-11
4.3
None Remote Medium Not required None Partial None
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
5 CVE-2020-11026 79 XSS 2020-04-30 2020-05-11
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
6 CVE-2020-11025 79 Exec Code XSS 2020-04-30 2020-05-07
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
7 CVE-2020-4049 80 XSS 2020-06-12 2020-12-23
3.5
None Remote Medium ??? None Partial None
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
8 CVE-2019-20042 79 XSS 2019-12-27 2020-01-10
4.3
None Remote Medium Not required None Partial None
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
9 CVE-2019-17674 79 XSS 2019-10-17 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
10 CVE-2019-17672 79 XSS 2019-10-17 2020-01-08
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
11 CVE-2019-16781 79 Exec Code XSS 2019-12-26 2020-01-08
3.5
None Remote Medium ??? None Partial None
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
12 CVE-2019-16780 79 Exec Code XSS 2019-12-26 2020-01-08
3.5
None Remote Medium ??? None Partial None
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
13 CVE-2019-16223 79 XSS 2019-09-11 2021-01-04
3.5
None Remote Medium ??? None Partial None
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
14 CVE-2019-16222 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
15 CVE-2019-16221 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows reflected XSS in the dashboard.
16 CVE-2019-16219 79 XSS 2019-09-11 2019-09-12
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in shortcode previews.
17 CVE-2019-16218 79 XSS 2019-09-11 2019-09-15
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in stored comments.
18 CVE-2019-16217 79 XSS 2019-09-11 2019-10-17
4.3
None Remote Medium Not required None Partial None
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
19 CVE-2019-9787 352 Exec Code XSS CSRF 2019-03-14 2019-03-31
6.8
None Remote Medium Not required Partial Partial Partial
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
20 CVE-2018-20153 79 XSS 2018-12-14 2019-03-04
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
21 CVE-2018-20150 79 XSS 2018-12-14 2019-03-04
4.3
None Remote Medium Not required None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.
22 CVE-2018-20149 79 XSS Bypass 2018-12-14 2019-03-04
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
23 CVE-2018-10102 79 XSS 2018-04-16 2018-05-18
4.3
None Remote Medium Not required None Partial None
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
24 CVE-2018-5776 79 XSS 2018-01-18 2018-02-01
4.3
None Remote Medium Not required None Partial None
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
25 CVE-2017-17094 79 XSS 2017-12-02 2019-04-26
3.5
None Remote Medium ??? None Partial None
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
26 CVE-2017-17093 79 XSS 2017-12-02 2019-04-26
3.5
None Remote Medium ??? None Partial None
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
27 CVE-2017-17092 79 XSS 2017-12-02 2019-04-26
3.5
None Remote Medium ??? None Partial None
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
28 CVE-2017-14726 79 XSS 2017-09-23 2017-11-10
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
29 CVE-2017-14724 79 XSS 2017-09-23 2017-11-10
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
30 CVE-2017-14721 79 XSS 2017-09-23 2017-11-10
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
31 CVE-2017-14720 79 XSS 2017-09-23 2017-11-10
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
32 CVE-2017-14718 79 XSS 2017-09-23 2017-11-10
4.3
None Remote Medium Not required None Partial None
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.
33 CVE-2017-9063 79 XSS 2017-05-18 2019-03-15
4.3
None Remote Medium Not required None Partial None
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
34 CVE-2017-9061 79 XSS 2017-05-18 2019-03-15
4.3
None Remote Medium Not required None Partial None
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
35 CVE-2017-6818 79 XSS 2017-03-12 2019-03-19
4.3
None Remote Medium Not required None Partial None
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.
36 CVE-2017-6817 79 XSS 2017-03-12 2019-03-19
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
37 CVE-2017-6814 79 XSS 2017-03-12 2019-03-19
3.5
None Remote Medium ??? None Partial None
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.
38 CVE-2017-5612 79 XSS 2017-01-30 2019-03-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.
39 CVE-2017-5490 79 XSS 2017-01-15 2017-11-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.
40 CVE-2017-5488 79 XSS 2017-01-15 2017-11-04
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.
41 CVE-2016-7168 79 XSS 2017-01-05 2017-11-04
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
42 CVE-2016-6634 79 XSS 2016-08-07 2017-11-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
43 CVE-2016-5834 79 XSS 2016-06-29 2016-11-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.
44 CVE-2016-5833 79 XSS 2016-06-29 2016-11-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.
45 CVE-2016-4567 79 XSS 2016-05-22 2016-12-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
46 CVE-2016-4566 79 XSS 2016-05-22 2016-12-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.
47 CVE-2016-1564 79 XSS 2016-05-22 2017-11-04
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.
48 CVE-2015-8834 79 XSS 2016-05-22 2016-11-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440.
49 CVE-2015-7989 79 XSS 2016-05-22 2017-11-04
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714.
50 CVE-2015-5734 79 XSS 2015-11-09 2017-11-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string.
Total number of vulnerabilities : 120   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.