WordPress Blog Platform

WordPress does not properly restrict which user fields are searchable via the REST API

CVE-2023-5561 5.3 - Medium - October 16, 2023

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

Exposure of Sensitive Information to an Unauthorized Actor in WordPress 

CVE-2023-39999 4.3 - Medium - October 13, 2023

Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.

Information Disclosure

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulne

CVE-2023-38000 5.4 - Medium - October 13, 2023

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.

XSS

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter

CVE-2023-2745 5.4 - Medium - May 17, 2023

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

Directory traversal

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates

CVE-2023-22622 5.3 - Medium - January 05, 2023

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.

WordPress is affected by an unauthenticated blind SSRF in the pingback feature

CVE-2022-3590 5.9 - Medium - December 14, 2022

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

XSPA

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3

CVE-2022-43497 6.1 - Medium - December 05, 2022

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.

XSS

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3

CVE-2022-43500 6.1 - Medium - December 05, 2022

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.

XSS

Improper authentication vulnerability in WordPress versions prior to 6.0.3

CVE-2022-43504 5.3 - Medium - December 05, 2022

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.

authentification

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts

CVE-2011-1762 6.5 - Medium - April 18, 2022

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.

Incorrect Default Permissions

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database

CVE-2022-21663 7.2 - High - January 06, 2022

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

Marshaling, Unmarshaling

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database

CVE-2022-21664 8.8 - High - January 06, 2022

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

SQL Injection

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database

CVE-2022-21661 7.5 - High - January 06, 2022

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

SQL Injection

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database

CVE-2022-21662 5.4 - Medium - January 06, 2022

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

XSS

WordPress before 5.8 lacks support for the Update URI plugin header

CVE-2021-44223 9.8 - Critical - November 25, 2021

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

CVE-2021-39203 6.5 - Medium - September 09, 2021

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

CVE-2021-39202 5.4 - Medium - September 09, 2021

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

XSS

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

CVE-2021-39201 5.4 - Medium - September 09, 2021

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)

XSS

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

CVE-2021-39200 5.3 - Medium - September 09, 2021

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

Information Disclosure

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname

CVE-2020-36326 9.8 - Critical - April 28, 2021

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

Marshaling, Unmarshaling

Wordpress is an open source CMS

CVE-2021-29450 4.3 - Medium - April 15, 2021

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

Information Disclosure

Wordpress is an open source CMS

CVE-2021-29447 6.5 - Medium - April 15, 2021

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

XXE

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2

CVE-2020-28039 9.1 - Critical - November 02, 2020

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

WordPress before 5.5.2

CVE-2020-28038 6.1 - Medium - November 02, 2020

WordPress before 5.5.2 allows stored XSS via post slugs.

XSS

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might

CVE-2020-28037 9.8 - Critical - November 02, 2020

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).

Improper Check for Unusual or Exceptional Conditions

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2

CVE-2020-28036 9.8 - Critical - November 02, 2020

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

AuthZ

WordPress before 5.5.2

CVE-2020-28035 9.8 - Critical - November 02, 2020

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

WordPress before 5.5.2 allows CSRF attacks

CVE-2020-28040 4.3 - Medium - November 02, 2020

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

Session Riding

WordPress before 5.5.2

CVE-2020-28034 6.1 - Medium - November 02, 2020

WordPress before 5.5.2 allows XSS associated with global variables.

XSS

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by

CVE-2020-28033 7.5 - High - November 02, 2020

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

CVE-2020-28032 9.8 - Critical - November 02, 2020

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

Marshaling, Unmarshaling

In wp-includes/comment-template.php in WordPress before 5.4.2, comments

CVE-2020-25286 5.3 - Medium - September 13, 2020

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.

In affected versions of WordPress, users with low privileges (like contributors and authors)

CVE-2020-4046 5.4 - Medium - June 12, 2020

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

XSS

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved

CVE-2020-4050 3.1 - Low - June 12, 2020

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Authentication Bypass Using an Alternate Path or Channel

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way

CVE-2020-4049 2.4 - Low - June 12, 2020

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

XSS

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link

CVE-2020-4048 5.7 - Medium - June 12, 2020

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Open Redirect

In affected versions of WordPress

CVE-2020-4047 6.8 - Medium - June 12, 2020

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Basic XSS

In affected versions of WordPress, a special payload can be crafted

CVE-2020-11030 5.4 - Medium - April 30, 2020

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php

CVE-2020-11029 6.1 - Medium - April 30, 2020

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, some private posts

CVE-2020-11028 7.5 - High - April 30, 2020

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Missing Authentication for Critical Function

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password

CVE-2020-11027 8.1 - High - April 30, 2020

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Operation on a Resource after Expiration or Release

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section

CVE-2020-11026 5.4 - Medium - April 30, 2020

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer

CVE-2020-11025 5.4 - Medium - April 30, 2020

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky

CVE-2019-20043 4.3 - Medium - December 27, 2019

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Improper Privilege Management

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel()

CVE-2019-20042 6.1 - Medium - December 27, 2019

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

XSS

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity

CVE-2019-20041 9.8 - Critical - December 27, 2019

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

Improper Input Validation

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload

CVE-2019-16780 5.4 - Medium - December 26, 2019

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

XSS

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor

CVE-2019-16781 5.4 - Medium - December 26, 2019

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

XSS

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible

CVE-2019-17671 5.3 - Medium - October 17, 2019

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

Information Disclosure

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability

CVE-2019-17669 9.8 - Critical - October 17, 2019

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

XSPA

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability

CVE-2019-17670 9.8 - Critical - October 17, 2019

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

XSPA

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

CVE-2019-17672 6.1 - Medium - October 17, 2019

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

XSS

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests

CVE-2019-17673 7.5 - High - October 17, 2019

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting)

CVE-2019-17674 5.4 - Medium - October 17, 2019

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.

XSS

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages

CVE-2019-17675 8.8 - High - October 17, 2019

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Session Riding

WordPress before 5.2.3

CVE-2019-16219 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in shortcode previews.

XSS

WordPress before 5.2.3

CVE-2019-16217 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

XSS

WordPress before 5.2.3

CVE-2019-16218 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in stored comments.

XSS

In WordPress before 5.2.3

CVE-2019-16220 6.1 - Medium - September 11, 2019

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.

Open Redirect

WordPress before 5.2.3

CVE-2019-16221 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows reflected XSS in the dashboard.

XSS

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php

CVE-2019-16222 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

XSS

WordPress before 5.2.3

CVE-2019-16223 5.4 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

XSS

WordPress before 5.1.1 does not properly filter comment content

CVE-2019-9787 8.8 - High - March 14, 2019

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

Session Riding

WordPress through 5.0.3 allows Path Traversal in wp_crop_image()

CVE-2019-8943 6.5 - Medium - February 20, 2019

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

Directory traversal

WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2019-8942 8.8 - High - February 20, 2019

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

Code Injection

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20147 6.5 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.

AuthZ

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20153 5.4 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.

XSS

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types

CVE-2018-20152 6.5 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.

Improper Input Validation

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20151 7.5 - High - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

Information Disclosure

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20150 6.1 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.

XSS

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files

CVE-2018-20149 5.4 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

XSS

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks

CVE-2018-20148 9.8 - Critical - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

Marshaling, Unmarshaling

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

CVE-2018-19296 8.8 - High - November 16, 2018

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

Marshaling, Unmarshaling

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing

CVE-2018-1000773 8.8 - High - September 06, 2018

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

Improper Input Validation

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files

CVE-2018-14028 7.2 - High - August 10, 2018

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Unrestricted File Upload

WordPress through 4.9.6

CVE-2018-12895 8.8 - High - June 26, 2018

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

Directory traversal

Before WordPress 4.9.5

CVE-2018-10102 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

XSS

Before WordPress 4.9.5

CVE-2018-10101 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

Open Redirect

Before WordPress 4.9.5

CVE-2018-10100 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

Open Redirect

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (

CVE-2018-6389 7.5 - High - February 06, 2018

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

Resource Exhaustion

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

CVE-2018-5776 6.1 - Medium - January 18, 2018

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

XSS

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme

CVE-2017-5611 9.8 - Critical - January 30, 2017

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.

SQL Injection

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might

CVE-2016-10033 9.8 - Critical - December 30, 2016

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

Argument Injection

The isMail transport in PHPMailer before 5.2.20 might

CVE-2016-10045 9.8 - Critical - December 30, 2016

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

Command Injection

WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which

CVE-2016-4029 8.6 - High - August 07, 2016

WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.

XSPA

The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session

CVE-2012-1936 - May 03, 2012

The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations

Session Riding

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which

CVE-2012-0937 - January 30, 2012

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier

CVE-2012-0782 - January 30, 2012

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance

XSS

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure

CVE-2011-4899 - January 30, 2012

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks

CVE-2011-4898 - January 30, 2012

wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective

Information Disclosure

wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which

CVE-2008-5695 - December 19, 2008

wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins.

Improper Input Validation

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products

CVE-2008-4796 - October 30, 2008

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.

Shell injection

Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from

CVE-2007-6013 9.8 - Critical - November 19, 2007

Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash.

Use of a Broken or Risky Cryptographic Algorithm

Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2

CVE-2007-1732 - March 28, 2007

Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: another researcher disputes this issue, stating that this is legitimate functionality for administrators. However, it has been patched by at least one vendor

XSS

Cross-site scripting (XSS) vulnerability in WordPress 2.0.0

CVE-2006-0733 - February 16, 2006

Cross-site scripting (XSS) vulnerability in WordPress 2.0.0 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes such as (1) onfocus and (2) onblur in the "author's website" field. NOTE: followup comments to the researcher's web log suggest that this issue is only exploitable by the same user who injects the XSS, so this might not be a vulnerability

Wordpress 1.5 and earlier

CVE-2005-1688 - May 20, 2005

Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message.

forced browsing