Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Product filter

Wordpress Subscribe

Filter

27 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-16223 1 Wordpress 1 Wordpress 2019-09-12 3.5
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
CVE-2017-17092 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.
CVE-2017-17093 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
CVE-2017-17094 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-26 3.5
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
CVE-2017-6814 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 3.5
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2)...
CVE-2017-6817 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 3.5
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
CVE-2018-20153 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 3.5
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
CVE-2018-20149 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 3.5
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
CVE-2006-0733 1 Wordpress 1 Wordpress 2018-10-19 2.6
** DISPUTED ** Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE:...
CVE-2007-5710 1 Wordpress 1 Wordpress 2018-10-15 2.6
Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter.
CVE-2009-3891 2 Wordpress, A 2 Wordpress, Wordpress 2017-11-22 3.5
Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable).
CVE-2011-0700 2 Wordpress, A 2 Wordpress, Wordpress 2017-11-21 3.5
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2)...
CVE-2016-7168 1 Wordpress 1 Wordpress 2017-11-04 3.5
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading...
CVE-2015-7989 1 Wordpress 1 Wordpress 2017-11-04 3.5
Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714.
CVE-2015-5622 2 Wordpress, Debian 2 Debian Linux, Wordpress 2017-11-04 3.5
Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related...
CVE-2016-9263 1 Wordpress 1 Wordpress 2017-10-26 2.6
WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the...
CVE-2012-6527 2 Wordpress, Joedolson 2 My-calendar, Wordpress 2017-08-29 2.6
Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
CVE-2007-4153 1 Wordpress 1 Wordpress 2017-07-29 2.1
Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2)...
CVE-2007-1732 1 Wordpress 1 Wordpress 2016-11-22 3.5
** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of...
CVE-2014-5240 2 Wordpress, Debian 2 Debian Linux, Wordpress 2015-11-25 2.1
Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via...