In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
| Max Base Score | 8.8 |
| Published | 2017-05-18 |
| Updated | 2019-03-15 |
| EPSS | 0.44% |
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
| Max Base Score | 8.6 |
| Published | 2017-05-18 |
| Updated | 2019-10-03 |
| EPSS | 0.62% |
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.
| Max Base Score | 6.5 |
| Published | 2017-03-12 |
| Updated | 2019-03-19 |
| EPSS | 0.16% |
Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
| Max Base Score | 8.8 |
| Published | 2017-01-15 |
| Updated | 2017-11-04 |
| EPSS | 0.28% |
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
| Max Base Score | 8.8 |
| Published | 2017-01-15 |
| Updated | 2017-11-04 |
| EPSS | 0.27% |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
| Max Base Score | 6.5 |
| Published | 2017-01-18 |
| Updated | 2017-09-03 |
| EPSS | 0.33% |
6 vulnerabilities found