Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Product filter

Wordpress Subscribe

Filter

298 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-16218 1 Wordpress 1 Wordpress 2019-09-15 4.3
WordPress before 5.2.3 allows XSS in stored comments.
CVE-2019-16223 1 Wordpress 1 Wordpress 2019-09-12 3.5
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
CVE-2019-16222 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
CVE-2019-16221 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 allows reflected XSS in the dashboard.
CVE-2019-16220 1 Wordpress 1 Wordpress 2019-09-12 5.8
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.
CVE-2019-16219 1 Wordpress 1 Wordpress 2019-09-12 4.3
WordPress before 5.2.3 allows XSS in shortcode previews.
CVE-2019-16217 1 Wordpress 1 Wordpress 2019-09-11 4.3
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
CVE-2017-6514 1 Wordpress 1 Wordpress 2019-05-27 5.0
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.
CVE-2017-14990 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-05-10 4.0
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database...
CVE-2017-17092 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
CVE-2017-17093 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
CVE-2017-17094 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
CVE-2019-8943 1 Wordpress 1 Wordpress 2019-04-25 4.0
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a...
CVE-2019-8942 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-25 6.5
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can...
CVE-2019-9787 1 Wordpress 1 Wordpress 2019-03-21 6.8
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A...
CVE-2017-5611 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 7.5
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post...
CVE-2017-5610 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 5.0
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.
CVE-2017-6814 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 3.5
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2)...
CVE-2017-6819 1 Wordpress 1 Wordpress 2019-03-19 4.3
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is...
CVE-2017-6815 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 5.8
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.