Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Filtered by product Wordpress
Total 581 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-14723 1 Wordpress 1 Wordpress 2017-11-09 7.5 HIGH 9.8 CRITICAL
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
CVE-2017-14718 1 Wordpress 1 Wordpress 2017-11-09 4.3 MEDIUM 6.1 MEDIUM
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.
CVE-2017-14720 1 Wordpress 1 Wordpress 2017-11-09 4.3 MEDIUM 6.1 MEDIUM
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
CVE-2017-14721 1 Wordpress 1 Wordpress 2017-11-09 4.3 MEDIUM 6.1 MEDIUM
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
CVE-2017-14724 1 Wordpress 1 Wordpress 2017-11-09 4.3 MEDIUM 6.1 MEDIUM
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
CVE-2017-8295 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM 5.9 MEDIUM
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.
CVE-2017-5489 1 Wordpress 1 Wordpress 2017-11-03 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.
CVE-2017-5490 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.
CVE-2017-5488 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.
CVE-2015-5732 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title.
CVE-2015-5731 1 Wordpress 1 Wordpress 2017-11-03 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.
CVE-2015-5734 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string.
CVE-2015-5714 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags.
CVE-2015-5715 1 Wordpress 1 Wordpress 2017-11-03 4.0 MEDIUM 4.3 MEDIUM
The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors.
CVE-2016-6634 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-6635 1 Wordpress 1 Wordpress 2017-11-03 6.8 MEDIUM 8.8 HIGH
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option.
CVE-2016-2222 1 Wordpress 1 Wordpress 2017-11-03 5.0 MEDIUM 8.6 HIGH
The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php.
CVE-2016-7168 1 Wordpress 1 Wordpress 2017-11-03 3.5 LOW 4.8 MEDIUM
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
CVE-2016-1564 1 Wordpress 1 Wordpress 2017-11-03 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.
CVE-2016-2221 1 Wordpress 1 Wordpress 2017-11-03 5.8 MEDIUM 7.4 HIGH
Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL.