Filtered by vendor Wordpress
Subscribe
Total
621 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-9062 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-10-02 | 5.0 MEDIUM | 8.6 HIGH |
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | |||||
CVE-2017-5493 | 1 Wordpress | 1 Wordpress | 2019-10-02 | 5.0 MEDIUM | 7.5 HIGH |
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. | |||||
CVE-2017-14990 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-10-02 | 4.0 MEDIUM | 6.5 MEDIUM |
WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). | |||||
CVE-2017-6514 | 1 Wordpress | 1 Wordpress | 2019-05-27 | 5.0 MEDIUM | 5.3 MEDIUM |
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring. | |||||
CVE-2017-17092 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-04-26 | 3.5 LOW | 5.4 MEDIUM |
wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. | |||||
CVE-2017-17093 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-04-26 | 3.5 LOW | 5.4 MEDIUM |
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. | |||||
CVE-2017-17094 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-04-26 | 3.5 LOW | 5.4 MEDIUM |
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. | |||||
CVE-2019-9787 | 1 Wordpress | 1 Wordpress | 2019-03-31 | 6.8 MEDIUM | 8.8 HIGH |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. | |||||
CVE-2017-5610 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-19 | 5.0 MEDIUM | 5.3 MEDIUM |
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. | |||||
CVE-2017-6814 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-19 | 3.5 LOW | 5.4 MEDIUM |
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js. | |||||
CVE-2017-6819 | 1 Wordpress | 1 Wordpress | 2019-03-19 | 4.3 MEDIUM | 6.5 MEDIUM |
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. | |||||
CVE-2017-6815 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-19 | 5.8 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. | |||||
CVE-2017-5612 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. | |||||
CVE-2017-6817 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-19 | 3.5 LOW | 5.4 MEDIUM |
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. | |||||
CVE-2017-6818 | 1 Wordpress | 1 Wordpress | 2019-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. | |||||
CVE-2017-9061 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. | |||||
CVE-2017-9063 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. | |||||
CVE-2017-9064 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 6.8 MEDIUM | 8.8 HIGH |
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. | |||||
CVE-2017-9065 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 5.0 MEDIUM | 7.5 HIGH |
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. | |||||
CVE-2017-9066 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 5.0 MEDIUM | 8.6 HIGH |
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. |