WordPress Blog Platform

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname

CVE-2020-36326 9.8 - Critical - April 28, 2021

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

Marshaling, Unmarshaling

Wordpress is an open source CMS

CVE-2021-29450 4.3 - Medium - April 15, 2021

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

Information Disclosure

Wordpress is an open source CMS

CVE-2021-29447 6.5 - Medium - April 15, 2021

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

XXE

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2

CVE-2020-28036 9.8 - Critical - November 02, 2020

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

Improper Privilege Management

WordPress before 5.5.2

CVE-2020-28035 9.8 - Critical - November 02, 2020

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

Improper Privilege Management

WordPress before 5.5.2

CVE-2020-28034 6.1 - Medium - November 02, 2020

WordPress before 5.5.2 allows XSS associated with global variables.

XSS

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by

CVE-2020-28033 7.5 - High - November 02, 2020

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

CVE-2020-28032 9.8 - Critical - November 02, 2020

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

Marshaling, Unmarshaling

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might

CVE-2020-28037 9.8 - Critical - November 02, 2020

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).

Improper Input Validation

WordPress before 5.5.2

CVE-2020-28038 6.1 - Medium - November 02, 2020

WordPress before 5.5.2 allows stored XSS via post slugs.

XSS

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2

CVE-2020-28039 9.1 - Critical - November 02, 2020

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

WordPress before 5.5.2 allows CSRF attacks

CVE-2020-28040 4.3 - Medium - November 02, 2020

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

Session Riding

In wp-includes/comment-template.php in WordPress before 5.4.2, comments

CVE-2020-25286 5.3 - Medium - September 13, 2020

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way

CVE-2020-4049 2.4 - Low - June 12, 2020

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

XSS

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved

CVE-2020-4050 3.1 - Low - June 12, 2020

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Authentication Bypass Using an Alternate Path or Channel

In affected versions of WordPress, users with low privileges (like contributors and authors)

CVE-2020-4046 5.4 - Medium - June 12, 2020

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Basic XSS

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link

CVE-2020-4048 5.7 - Medium - June 12, 2020

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Open Redirect

In affected versions of WordPress

CVE-2020-4047 6.8 - Medium - June 12, 2020

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Basic XSS

In affected versions of WordPress, a special payload can be crafted

CVE-2020-11030 5.4 - Medium - April 30, 2020

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php

CVE-2020-11029 6.1 - Medium - April 30, 2020

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, some private posts

CVE-2020-11028 7.5 - High - April 30, 2020

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Information Disclosure

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password

CVE-2020-11027 8.1 - High - April 30, 2020

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Weak Password Recovery Mechanism for Forgotten Password

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section

CVE-2020-11026 5.4 - Medium - April 30, 2020

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer

CVE-2020-11025 5.4 - Medium - April 30, 2020

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel()

CVE-2019-20042 6.1 - Medium - December 27, 2019

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

XSS

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity

CVE-2019-20041 9.8 - Critical - December 27, 2019

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.

Improper Input Validation

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky

CVE-2019-20043 5.3 - Medium - December 27, 2019

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Improper Privilege Management

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload

CVE-2019-16780 5.4 - Medium - December 26, 2019

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

XSS

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor

CVE-2019-16781 5.4 - Medium - December 26, 2019

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

XSS

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages

CVE-2019-17675 8.8 - High - October 17, 2019

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Object Type Confusion

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting)

CVE-2019-17674 5.4 - Medium - October 17, 2019

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.

XSS

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests

CVE-2019-17673 7.5 - High - October 17, 2019

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.

Improper Input Validation

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

CVE-2019-17672 6.1 - Medium - October 17, 2019

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

XSS

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability

CVE-2019-17670 9.8 - Critical - October 17, 2019

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

XSPA

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability

CVE-2019-17669 9.8 - Critical - October 17, 2019

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

XSPA

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible

CVE-2019-17671 5.3 - Medium - October 17, 2019

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

Information Disclosure

WordPress before 5.2.3

CVE-2019-16223 5.4 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

XSS

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php

CVE-2019-16222 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

XSS

WordPress before 5.2.3

CVE-2019-16221 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows reflected XSS in the dashboard.

XSS

In WordPress before 5.2.3

CVE-2019-16220 6.1 - Medium - September 11, 2019

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.

Open Redirect

WordPress before 5.2.3

CVE-2019-16219 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in shortcode previews.

XSS

WordPress before 5.2.3

CVE-2019-16218 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in stored comments.

XSS

WordPress before 5.2.3

CVE-2019-16217 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

XSS

WordPress before 5.1.1 does not properly filter comment content

CVE-2019-9787 8.8 - High - March 14, 2019

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

Session Riding

WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2019-8942 8.8 - High - February 20, 2019

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

Code Injection

WordPress through 5.0.3 allows Path Traversal in wp_crop_image()

CVE-2019-8943 6.5 - Medium - February 20, 2019

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

Directory traversal

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types

CVE-2018-20152 6.5 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.

Improper Input Validation

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20147 6.5 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.

AuthZ

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks

CVE-2018-20148 9.8 - Critical - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

Marshaling, Unmarshaling

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files

CVE-2018-20149 5.4 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

XSS

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20150 6.1 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.

XSS

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20151 7.5 - High - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

Information Disclosure

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20153 5.4 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.

XSS

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

CVE-2018-19296 8.8 - High - November 16, 2018

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

Marshaling, Unmarshaling

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing

CVE-2018-1000773 8.8 - High - September 06, 2018

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

Improper Input Validation

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files

CVE-2018-14028 7.2 - High - August 10, 2018

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Unrestricted File Upload

WordPress through 4.9.6

CVE-2018-12895 7.2 - High - June 26, 2018

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

Directory traversal

Before WordPress 4.9.5

CVE-2018-10102 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

XSS

Before WordPress 4.9.5

CVE-2018-10101 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

Open Redirect

Before WordPress 4.9.5

CVE-2018-10100 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

Open Redirect

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (

CVE-2018-6389 7.5 - High - February 06, 2018

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

Resource Exhaustion

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

CVE-2018-5776 6.1 - Medium - January 18, 2018

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

XSS

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme

CVE-2017-5611 9.8 - Critical - January 30, 2017

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.

SQL Injection

wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which

CVE-2008-5695 - December 19, 2008

wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins.

Improper Input Validation