Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Product filter

Wordpress Subscribe

Filter

298 total CVE
CVE Vendors Products Updated CVSS
CVE-2017-5493 1 Wordpress 1 Wordpress 2019-10-03 5.0
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site...
CVE-2017-5491 1 Wordpress 1 Wordpress 2019-10-03 5.0
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.
CVE-2017-6816 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-10-03 5.5
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.
CVE-2017-17091 1 Wordpress 1 Wordpress 2019-10-03 6.5
wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.
CVE-2017-14990 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-10-03 4.0
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database...
CVE-2018-20147 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-10-03 5.5
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
CVE-2017-9062 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-10-03 5.0
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
CVE-2017-1001000 1 Wordpress 1 Wordpress 2019-10-03 5.0
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via...
CVE-2019-16218 1 Wordpress 1 Wordpress 2019-09-15 4.3
WordPress before 5.2.3 allows XSS in stored comments.
CVE-2019-16223 1 Wordpress 1 Wordpress 2019-09-12 3.5
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
CVE-2019-16222 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
CVE-2019-16221 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 allows reflected XSS in the dashboard.
CVE-2019-16220 1 Wordpress 1 Wordpress 2019-09-12 5.8
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.
CVE-2019-16219 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 allows XSS in shortcode previews.
CVE-2019-16217 1 Wordpress 1 Wordpress 2019-09-11 4.3
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
CVE-2017-6514 1 Wordpress 1 Wordpress 2019-05-27 5.0
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.
CVE-2017-17092 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
CVE-2017-17093 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
CVE-2017-17094 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
CVE-2019-8943 1 Wordpress 1 Wordpress 2019-04-25 4.0
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a...