Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Product filter

Wordpress Subscribe

Filter

229 total CVE
CVE Vendors Products Updated CVSS
CVE-2017-9062 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-10-03 5.0
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
CVE-2017-5491 1 Wordpress 1 Wordpress 2019-10-03 5.0
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.
CVE-2017-14990 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-10-03 4.0
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database...
CVE-2017-1001000 1 Wordpress 1 Wordpress 2019-10-03 5.0
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via...
CVE-2017-6816 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-10-03 5.5
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.
CVE-2017-17091 1 Wordpress 1 Wordpress 2019-10-03 6.5
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.
CVE-2018-20147 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-10-03 5.5
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
CVE-2017-5493 1 Wordpress 1 Wordpress 2019-10-03 5.0
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site...
CVE-2019-16218 1 Wordpress 1 Wordpress 2019-09-15 4.3
WordPress before 5.2.3 allows XSS in stored comments.
CVE-2019-16222 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
CVE-2019-16221 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 allows reflected XSS in the dashboard.
CVE-2019-16220 1 Wordpress 1 Wordpress 2019-09-12 5.8
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.
CVE-2019-16219 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 allows XSS in shortcode previews.
CVE-2019-16217 1 Wordpress 1 Wordpress 2019-09-11 4.3
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
CVE-2017-6514 1 Wordpress 1 Wordpress 2019-05-27 5.0
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.
CVE-2019-8943 1 Wordpress 1 Wordpress 2019-04-25 4.0
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a...
CVE-2019-8942 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-25 6.5
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can...
CVE-2019-9787 1 Wordpress 1 Wordpress 2019-03-21 6.8
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A...
CVE-2017-5610 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 5.0
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.
CVE-2017-6819 1 Wordpress 1 Wordpress 2019-03-19 4.3
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is...