| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-16223 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
|
2 |
CVE-2019-16222 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
|
3 |
CVE-2019-16221 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows reflected XSS in the dashboard. |
|
4 |
CVE-2019-16220 |
601 |
|
|
2019-09-11 |
2019-09-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. |
|
5 |
CVE-2019-16219 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in shortcode previews. |
|
6 |
CVE-2019-16218 |
79 |
|
XSS |
2019-09-11 |
2019-09-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in stored comments. |
|
7 |
CVE-2019-16217 |
79 |
|
XSS |
2019-09-11 |
2019-09-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
|
8 |
CVE-2019-9787 |
352 |
|
Exec Code XSS CSRF |
2019-03-14 |
2019-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
|
9 |
CVE-2019-8942 |
94 |
|
Exec Code |
2019-02-19 |
2019-04-25 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. |
|
10 |
CVE-2018-20153 |
79 |
|
XSS |
2018-12-14 |
2019-01-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. |
|
11 |
CVE-2018-20152 |
20 |
|
Bypass |
2018-12-14 |
2019-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. |
|
12 |
CVE-2018-20151 |
200 |
|
+Info |
2018-12-14 |
2019-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default. |
|
13 |
CVE-2018-20150 |
79 |
|
XSS |
2018-12-14 |
2019-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. |
|
14 |
CVE-2018-20149 |
79 |
|
XSS Bypass |
2018-12-14 |
2019-01-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. |
|
15 |
CVE-2018-20148 |
502 |
|
|
2018-12-14 |
2019-01-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. |
|
16 |
CVE-2018-20147 |
287 |
|
Bypass |
2018-12-14 |
2019-10-02 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. |
|
17 |
CVE-2018-12895 |
22 |
|
Exec Code Dir. Trav. |
2018-06-26 |
2018-08-20 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges. |
|
18 |
CVE-2018-10102 |
79 |
|
XSS |
2018-04-16 |
2018-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. |
|
19 |
CVE-2018-10101 |
601 |
|
|
2018-04-16 |
2018-06-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. |
|
20 |
CVE-2018-10100 |
601 |
|
|
2018-04-16 |
2018-05-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. |
|
21 |
CVE-2018-5776 |
79 |
|
XSS |
2018-01-18 |
2018-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). |
|
22 |
CVE-2017-1000600 |
20 |
|
Exec Code |
2018-09-06 |
2018-10-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 |
|
23 |
CVE-2014-6412 |
640 |
|
|
2018-04-12 |
2018-05-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. |
|
24 |
CVE-2014-0166 |
287 |
|
|
2014-04-09 |
2017-12-15 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. |
|
25 |
CVE-2014-0165 |
264 |
|
|
2014-04-09 |
2017-12-15 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. |
|
26 |
CVE-2013-2205 |
79 |
|
XSS Bypass |
2013-07-08 |
2016-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site. |
|
27 |
CVE-2013-2204 |
20 |
|
|
2013-07-08 |
2013-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character. |
|
28 |
CVE-2013-2203 |
264 |
|
+Info |
2013-07-08 |
2013-09-10 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message. |
|
29 |
CVE-2013-2202 |
200 |
|
+Info |
2013-07-08 |
2013-10-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
30 |
CVE-2013-2201 |
79 |
|
XSS |
2013-07-08 |
2013-09-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of media files, (2) editing of media files, (3) installation of plugins, (4) updates to plugins, (5) installation of themes, or (6) updates to themes. |
|
31 |
CVE-2013-2200 |
264 |
|
Bypass |
2013-07-08 |
2013-08-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors. |
|
32 |
CVE-2013-2199 |
264 |
|
|
2013-07-08 |
2013-08-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235. |
|
33 |
CVE-2013-0237 |
79 |
|
XSS |
2013-07-08 |
2013-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. |
|
34 |
CVE-2013-0236 |
79 |
|
XSS |
2013-07-08 |
2013-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. |
|
35 |
CVE-2013-0235 |
|
|
|
2013-07-08 |
2013-07-08 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. |
|
36 |
CVE-2012-4422 |
264 |
|
|
2012-09-14 |
2012-09-17 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. |
|
37 |
CVE-2012-4421 |
264 |
|
Bypass |
2012-09-14 |
2012-09-17 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. |
|
38 |
CVE-2012-3385 |
264 |
|
+Info |
2012-07-22 |
2012-07-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors. |
|
39 |
CVE-2012-3384 |
352 |
|
CSRF |
2012-07-22 |
2012-08-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
40 |
CVE-2012-2404 |
79 |
|
XSS |
2012-04-21 |
2017-12-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. |
|
41 |
CVE-2012-2403 |
79 |
|
XSS |
2012-04-21 |
2017-12-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. |
|
42 |
CVE-2012-2402 |
264 |
|
Bypass |
2012-04-21 |
2017-12-18 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. |
|
43 |
CVE-2012-2401 |
264 |
|
Bypass |
2012-04-21 |
2017-12-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. |
|
44 |
CVE-2012-2400 |
|
|
|
2012-04-21 |
2017-12-18 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors. |
|
45 |
CVE-2012-2399 |
|
|
XSS |
2012-04-21 |
2017-12-18 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414. |
|
46 |
CVE-2012-1936 |
352 |
1
|
CSRF |
2012-05-03 |
2017-12-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations. |
|
47 |
CVE-2012-0937 |
|
1
|
DoS |
2012-01-30 |
2012-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time. |
|
48 |
CVE-2012-0782 |
79 |
1
|
XSS |
2012-01-30 |
2012-01-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance. |
|
49 |
CVE-2011-4957 |
20 |
|
DoS |
2012-06-27 |
2012-06-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. |
|
50 |
CVE-2011-4956 |
79 |
|
XSS |
2012-06-27 |
2012-06-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
