Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Wordpress Subscribe
Filtered by product Wordpress
Total 581 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-11029 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-03-01 4.3 MEDIUM 6.1 MEDIUM
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
CVE-2020-11027 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-03-01 5.5 MEDIUM 8.1 HIGH
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
CVE-2020-11026 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-03-01 3.5 LOW 5.4 MEDIUM
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
CVE-2020-4050 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2023-02-27 6.0 MEDIUM 3.1 LOW
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
CVE-2020-4047 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2023-02-27 3.5 LOW 6.8 MEDIUM
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
CVE-2020-4048 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2023-02-27 4.9 MEDIUM 5.7 MEDIUM
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
CVE-2022-21663 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2023-02-09 6.5 MEDIUM 7.2 HIGH
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
CVE-2019-17675 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-02-03 6.8 MEDIUM 8.8 HIGH
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
CVE-2019-17671 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-02-03 5.0 MEDIUM 5.3 MEDIUM
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
CVE-2019-17672 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-02-03 4.3 MEDIUM 6.1 MEDIUM
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
CVE-2019-17674 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-02-03 3.5 LOW 5.4 MEDIUM
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
CVE-2019-17669 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-02-03 7.5 HIGH 9.8 CRITICAL
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
CVE-2022-43500 1 Wordpress 1 Wordpress 2023-02-03 N/A 6.1 MEDIUM
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
CVE-2022-43497 1 Wordpress 1 Wordpress 2023-02-03 N/A 6.1 MEDIUM
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
CVE-2022-43504 1 Wordpress 1 Wordpress 2023-02-03 N/A 5.3 MEDIUM
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.
CVE-2023-22622 1 Wordpress 1 Wordpress 2023-02-02 N/A 5.3 MEDIUM
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.
CVE-2019-16219 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-01-31 4.3 MEDIUM 6.1 MEDIUM
WordPress before 5.2.3 allows XSS in shortcode previews.
CVE-2019-16217 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-01-31 4.3 MEDIUM 6.1 MEDIUM
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
CVE-2019-16222 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-01-31 4.3 MEDIUM 6.1 MEDIUM
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
CVE-2019-16218 2 Debian, Wordpress 2 Debian Linux, Wordpress 2023-01-31 4.3 MEDIUM 6.1 MEDIUM
WordPress before 5.2.3 allows XSS in stored comments.