WordPress WordPress Blog Platform

stack.watch can notify you when security vulnerabilities are reported in WordPress. You can add multiple products that you use with WordPress to create your own personal software stack watcher.

By the Year

In 2020 there have been 11 vulnerabilities in WordPress with an average score of 5.6 out of ten. Last year WordPress had 22 security vulnerabilities published. Right now, WordPress is on track to have less security vulerabilities in 2020 than it did last year. Last year, the average CVE base score was greater by 1.28

Year Vulnerabilities Average Score
2020 11 5.57
2019 22 6.85
2018 15 6.82

It may take a day or so for new WordPress vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest WordPress Security Vulnerabilities

In affected versions of WordPress, users with low privileges (like contributors and authors)

CVE-2020-4046 5.4 - Medium - June 12, 2020

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

In affected versions of WordPress

CVE-2020-4047 6.8 - Medium - June 12, 2020

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link

CVE-2020-4048 5.7 - Medium - June 12, 2020

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Open Redirect

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way

CVE-2020-4049 2.4 - Low - June 12, 2020

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved

CVE-2020-4050 3.1 - Low - June 12, 2020

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Authentication Bypass Using an Alternate Path or Channel

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section

CVE-2020-11026 5.4 - Medium - April 30, 2020

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password

CVE-2020-11027 8.1 - High - April 30, 2020

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Weak Password Recovery Mechanism for Forgotten Password

In affected versions of WordPress, some private posts

CVE-2020-11028 7.5 - High - April 30, 2020

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Information Leak

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php

CVE-2020-11029 6.1 - Medium - April 30, 2020

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a special payload can be crafted

CVE-2020-11030 5.4 - Medium - April 30, 2020

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer

CVE-2020-11025 5.4 - Medium - April 30, 2020

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity

CVE-2019-20041 9.8 - Critical - December 27, 2019

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.

Improper Input Validation

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel()

CVE-2019-20042 6.1 - Medium - December 27, 2019

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

XSS

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky

CVE-2019-20043 5.3 - Medium - December 27, 2019

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

Improper Privilege Management

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload

CVE-2019-16780 5.4 - Medium - December 26, 2019

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

XSS

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor

CVE-2019-16781 5.4 - Medium - December 26, 2019

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

XSS

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability

CVE-2019-17669 9.8 - Critical - October 17, 2019

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

XSPA

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability

CVE-2019-17670 9.8 - Critical - October 17, 2019

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

XSPA

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible

CVE-2019-17671 5.3 - Medium - October 17, 2019

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

Information Leak

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

CVE-2019-17672 6.1 - Medium - October 17, 2019

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

XSS

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests

CVE-2019-17673 7.5 - High - October 17, 2019

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.

Improper Input Validation

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting)

CVE-2019-17674 5.4 - Medium - October 17, 2019

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.

XSS

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages

CVE-2019-17675 8.8 - High - October 17, 2019

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

Object Type Confusion

WordPress before 5.2.3

CVE-2019-16217 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

XSS

WordPress before 5.2.3

CVE-2019-16218 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in stored comments.

XSS

WordPress before 5.2.3

CVE-2019-16219 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in shortcode previews.

XSS

In WordPress before 5.2.3

CVE-2019-16220 6.1 - Medium - September 11, 2019

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.

Open Redirect

WordPress before 5.2.3

CVE-2019-16221 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 allows reflected XSS in the dashboard.

XSS

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php

CVE-2019-16222 6.1 - Medium - September 11, 2019

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

XSS

WordPress before 5.2.3

CVE-2019-16223 5.4 - Medium - September 11, 2019

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

XSS

WordPress before 5.1.1 does not properly filter comment content

CVE-2019-9787 8.8 - High - March 14, 2019

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

352

WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2019-8942 8.8 - High - February 20, 2019

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

Improper Control of Generation of Code ('Code Injection')

WordPress through 5.0.3 allows Path Traversal in wp_crop_image()

CVE-2019-8943 6.5 - Medium - February 20, 2019

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

Directory traversal

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20147 6.5 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.

authentification

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks

CVE-2018-20148 9.8 - Critical - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

Marshaling, Unmarshaling

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files

CVE-2018-20149 5.4 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

XSS

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20150 6.1 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.

XSS

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20151 7.5 - High - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

Information Leak

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types

CVE-2018-20152 6.5 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.

Improper Input Validation

In WordPress before 4.9.9 and 5.x before 5.0.1

CVE-2018-20153 5.4 - Medium - December 14, 2018

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.

XSS

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing

CVE-2018-1000773 8.8 - High - September 06, 2018

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

Improper Input Validation

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files

CVE-2018-14028 7.2 - High - August 10, 2018

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Unrestricted File Upload

WordPress through 4.9.6

CVE-2018-12895 7.2 - High - June 26, 2018

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

Directory traversal

Before WordPress 4.9.5

CVE-2018-10100 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

Open Redirect

Before WordPress 4.9.5

CVE-2018-10101 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

Open Redirect

Before WordPress 4.9.5

CVE-2018-10102 6.1 - Medium - April 16, 2018

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

XSS

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (

CVE-2018-6389 7.5 - High - February 06, 2018

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

Uncontrolled Resource Consumption ('Resource Exhaustion')

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

CVE-2018-5776 6.1 - Medium - January 18, 2018

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

XSS