Vulnerabilities (CVE)

Vendor filter

Wordpress Subscribe

Filter

347 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-8943 1 Wordpress 1 Wordpress 2019-04-25 4.0
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a...
CVE-2019-8942 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-04-25 6.5
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can...
CVE-2019-9787 1 Wordpress 1 Wordpress 2019-03-21 6.8
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A...
CVE-2017-5611 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 7.5
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post...
CVE-2017-5610 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 5.0
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.
CVE-2017-6814 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 3.5
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2)...
CVE-2017-6819 1 Wordpress 1 Wordpress 2019-03-19 4.3
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is...
CVE-2017-6815 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 5.8
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.
CVE-2017-5612 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 4.3
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.
CVE-2017-6817 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-19 3.5
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
CVE-2017-6818 1 Wordpress 1 Wordpress 2019-03-19 4.3
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.
CVE-2017-9061 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-15 4.3
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
CVE-2017-9063 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-15 4.3
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
CVE-2017-9064 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-15 6.8
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
CVE-2017-9065 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-15 5.0
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
CVE-2017-9066 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-15 5.0
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.
CVE-2018-10101 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-07 5.8
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
CVE-2018-20152 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 4.0
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
CVE-2018-20151 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 5.0
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely)...
CVE-2018-20153 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-04 3.5
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.