WordPress WordPress Blog Platform

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in WordPress.

WordPress EOL Dates

Ensure that you are using a supported version of WordPress. Here are some end of life, and end of support dates for WordPress.

Release EOL Date Status
6.8 -
Active

6.7 April 15, 2025
EOL

WordPress 6.7 became EOL in 2025.

6.6 November 12, 2024
EOL

WordPress 6.6 became EOL in 2024.

6.5 July 16, 2024
EOL

WordPress 6.5 became EOL in 2024.

6.4 April 2, 2024
EOL

WordPress 6.4 became EOL in 2024.

6.3 November 7, 2023
EOL

WordPress 6.3 became EOL in 2023.

6.2 August 8, 2023
EOL

WordPress 6.2 became EOL in 2023.

6.1 March 29, 2023
EOL

WordPress 6.1 became EOL in 2023.

6.0 November 1, 2022
EOL

WordPress 6.0 became EOL in 2022.

5.9 May 24, 2022
EOL

WordPress 5.9 became EOL in 2022.

5.8 January 25, 2022
EOL

WordPress 5.8 became EOL in 2022.

5.7 July 20, 2021
EOL

WordPress 5.7 became EOL in 2021.

5.6 March 9, 2021
EOL

WordPress 5.6 became EOL in 2021.

5.5 December 8, 2020
EOL

WordPress 5.5 became EOL in 2020.

5.4 August 11, 2020
EOL

WordPress 5.4 became EOL in 2020.

5.3 March 31, 2020
EOL

WordPress 5.3 became EOL in 2020.

5.2 November 12, 2019
EOL

WordPress 5.2 became EOL in 2019.

5.1 May 7, 2019
EOL

WordPress 5.1 became EOL in 2019.

5.0 February 21, 2019
EOL

WordPress 5.0 became EOL in 2019.

4.9 December 6, 2018
EOL

WordPress 4.9 became EOL in 2018.

By the Year

In 2025 there have been 0 vulnerabilities in WordPress. Last year, in 2024 WordPress had 7 security vulnerabilities published. Right now, WordPress is on track to have less security vulnerabilities in 2025 than it did last year.




Year Vulnerabilities Average Score
2025 0 0.00
2024 7 6.18
2023 5 5.14
2022 9 6.53
2021 8 6.63
2020 21 6.61
2019 22 6.81
2018 16 7.04

It may take a day or so for new WordPress vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent WordPress Security Vulnerabilities

WordPress Plugin '??????? ??????? ??????? ???? ????': Reflected XSS Vulnerability

CVE-2024-11331 6.1 - Medium - December 20, 2024

The ??????? ??????? ??????? ???? ???? plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

XSS

WordPress Plugin 'Add infos to the events calendar' Stored XSS Vulnerability in 'fuss' Shortcode

CVE-2024-11875 6.4 - Medium - December 12, 2024

The Add infos to the events calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fuss' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WordPress Support SVG Plugin: Stored XSS via REST API SVG File Uploads

CVE-2024-11091 6.4 - Medium - November 26, 2024

The Support SVG Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

XSS

Stored XSS Vulnerability in WordPress Plugin ???? ????? via mnp_purchase Shortcode

CVE-2024-11231 6.4 - Medium - November 23, 2024

The ???? ????? plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mnp_purchase shortcode in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

Stored XSS Vulnerability in WordPress Plugin ??? ??? via Shortcodes

CVE-2024-11229 6.4 - Medium - November 23, 2024

The ???? ??? plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's add_plus_friends and add_plus_talk shortcodes in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

WordPress Bard Theme Reflected XSS Vulnerability in URL Parameter Handling

CVE-2024-9830 - November 19, 2024

The Bard theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.216. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

XSS

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting

CVE-2022-4973 5.4 - Medium - October 16, 2024

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

XSS

WordPress does not properly restrict which user fields are searchable via the REST API

CVE-2023-5561 5.3 - Medium - October 16, 2023

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

Exposure of Sensitive Information to an Unauthorized Actor in WordPress 

CVE-2023-39999 4.3 - Medium - October 13, 2023

Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.

Information Disclosure

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulne

CVE-2023-38000 5.4 - Medium - October 13, 2023

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.

XSS

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter

CVE-2023-2745 5.4 - Medium - May 17, 2023

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

Directory traversal

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates

CVE-2023-22622 5.3 - Medium - January 05, 2023

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.

WordPress is affected by an unauthenticated blind SSRF in the pingback feature

CVE-2022-3590 5.9 - Medium - December 14, 2022

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

TOCTTOU

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3

CVE-2022-43497 6.1 - Medium - December 05, 2022

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.

XSS

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3

CVE-2022-43500 6.1 - Medium - December 05, 2022

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.

XSS

Improper authentication vulnerability in WordPress versions prior to 6.0.3

CVE-2022-43504 5.3 - Medium - December 05, 2022

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.

authentification

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts

CVE-2011-1762 6.5 - Medium - April 18, 2022

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.

Incorrect Default Permissions

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database

CVE-2022-21663 7.2 - High - January 06, 2022

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

Marshaling, Unmarshaling

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database

CVE-2022-21664 8.8 - High - January 06, 2022

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

SQL Injection

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database

CVE-2022-21661 7.5 - High - January 06, 2022

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

SQL Injection

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database

CVE-2022-21662 5.4 - Medium - January 06, 2022

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

XSS

WordPress before 5.8 lacks support for the Update URI plugin header

CVE-2021-44223 9.8 - Critical - November 25, 2021

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

CVE-2021-39201 5.4 - Medium - September 09, 2021

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)

XSS

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

CVE-2021-39200 5.3 - Medium - September 09, 2021

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

Information Disclosure

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

CVE-2021-39202 5.4 - Medium - September 09, 2021

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

XSS

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database

CVE-2021-39203 6.5 - Medium - September 09, 2021

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname

CVE-2020-36326 9.8 - Critical - April 28, 2021

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

Marshaling, Unmarshaling

Wordpress is an open source CMS

CVE-2021-29450 4.3 - Medium - April 15, 2021

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

Information Disclosure

Wordpress is an open source CMS

CVE-2021-29447 6.5 - Medium - April 15, 2021

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

XXE

WordPress before 5.5.2 allows CSRF attacks

CVE-2020-28040 4.3 - Medium - November 02, 2020

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

Session Riding

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2

CVE-2020-28039 9.1 - Critical - November 02, 2020

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

WordPress before 5.5.2

CVE-2020-28038 6.1 - Medium - November 02, 2020

WordPress before 5.5.2 allows stored XSS via post slugs.

XSS

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might

CVE-2020-28037 9.8 - Critical - November 02, 2020

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).

Improper Check for Unusual or Exceptional Conditions

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2

CVE-2020-28036 9.8 - Critical - November 02, 2020

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

AuthZ

WordPress before 5.5.2

CVE-2020-28035 9.8 - Critical - November 02, 2020

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

WordPress before 5.5.2

CVE-2020-28034 6.1 - Medium - November 02, 2020

WordPress before 5.5.2 allows XSS associated with global variables.

XSS

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by

CVE-2020-28033 7.5 - High - November 02, 2020

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

CVE-2020-28032 9.8 - Critical - November 02, 2020

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

Marshaling, Unmarshaling

In wp-includes/comment-template.php in WordPress before 5.4.2, comments

CVE-2020-25286 5.3 - Medium - September 13, 2020

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link

CVE-2020-4048 5.7 - Medium - June 12, 2020

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Open Redirect

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way

CVE-2020-4049 2.4 - Low - June 12, 2020

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

XSS

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved

CVE-2020-4050 3.1 - Low - June 12, 2020

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Authentication Bypass Using an Alternate Path or Channel

In affected versions of WordPress, users with low privileges (like contributors and authors)

CVE-2020-4046 5.4 - Medium - June 12, 2020

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

XSS

In affected versions of WordPress

CVE-2020-4047 6.8 - Medium - June 12, 2020

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

Basic XSS

In affected versions of WordPress, a special payload can be crafted

CVE-2020-11030 5.4 - Medium - April 30, 2020

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php

CVE-2020-11029 6.1 - Medium - April 30, 2020

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password

CVE-2020-11027 8.1 - High - April 30, 2020

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Operation on a Resource after Expiration or Release

In affected versions of WordPress, some private posts

CVE-2020-11028 7.5 - High - April 30, 2020

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

Missing Authentication for Critical Function

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section

CVE-2020-11026 5.4 - Medium - April 30, 2020

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer

CVE-2020-11025 5.4 - Medium - April 30, 2020

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by WordPress? Click the Watch button to subscribe.

WordPress
Vendor

WordPress
Blog Platform

subscribe