|
|
Wordpress » Wordpress : Security Vulnerabilities Published In 2019
| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-16223 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in post previews by authenticated users. |
|
2 |
CVE-2019-16222 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. |
|
3 |
CVE-2019-16221 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows reflected XSS in the dashboard. |
|
4 |
CVE-2019-16220 |
601 |
|
|
2019-09-11 |
2019-09-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. |
|
5 |
CVE-2019-16219 |
79 |
|
XSS |
2019-09-11 |
2019-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in shortcode previews. |
|
6 |
CVE-2019-16218 |
79 |
|
XSS |
2019-09-11 |
2019-09-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in stored comments. |
|
7 |
CVE-2019-16217 |
79 |
|
XSS |
2019-09-11 |
2019-09-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. |
|
8 |
CVE-2019-9787 |
352 |
|
Exec Code XSS CSRF |
2019-03-14 |
2019-03-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. |
|
9 |
CVE-2019-8943 |
22 |
|
Dir. Trav. |
2019-02-19 |
2019-04-25 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. |
|
10 |
CVE-2019-8942 |
94 |
|
Exec Code |
2019-02-19 |
2019-04-25 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. |
|
11 |
CVE-2017-6514 |
200 |
|
+Info |
2019-05-22 |
2019-05-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring. |
Total number of vulnerabilities : 11
Page :
1
(This Page)
|
|
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is
MITRE's CVE web site.
CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is
MITRE's CWE web site.
OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is
MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this information or its use.
Any use of this information is at the user's risk.
It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.
EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site.
ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT,
INDIRECT or any other kind of loss.
