WordPress Blog Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in WordPress.
By the Year
In 2025 there have been 0 vulnerabilities in WordPress. Last year, in 2024 WordPress had 7 security vulnerabilities published. Right now, WordPress is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 7 | 6.18 |
2023 | 5 | 5.14 |
2022 | 9 | 6.53 |
2021 | 8 | 6.63 |
2020 | 21 | 6.61 |
2019 | 22 | 6.81 |
2018 | 16 | 7.04 |
It may take a day or so for new WordPress vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent WordPress Security Vulnerabilities
WordPress Plugin '??????? ??????? ??????? ???? ????': Reflected XSS Vulnerability
CVE-2024-11331
6.1 - Medium
- December 20, 2024
The ??????? ??????? ??????? ???? ???? plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
XSS
WordPress Plugin 'Add infos to the events calendar' Stored XSS Vulnerability in 'fuss' Shortcode
CVE-2024-11875
6.4 - Medium
- December 12, 2024
The Add infos to the events calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fuss' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
WordPress Support SVG Plugin: Stored XSS via REST API SVG File Uploads
CVE-2024-11091
6.4 - Medium
- November 26, 2024
The Support SVG Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
XSS
Stored XSS Vulnerability in WordPress Plugin ???? ????? via mnp_purchase Shortcode
CVE-2024-11231
6.4 - Medium
- November 23, 2024
The ???? ????? plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mnp_purchase shortcode in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Stored XSS Vulnerability in WordPress Plugin ??? ??? via Shortcodes
CVE-2024-11229
6.4 - Medium
- November 23, 2024
The ???? ??? plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's add_plus_friends and add_plus_talk shortcodes in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
WordPress Bard Theme Reflected XSS Vulnerability in URL Parameter Handling
CVE-2024-9830
- November 19, 2024
The Bard theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.216. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
XSS
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting
CVE-2022-4973
5.4 - Medium
- October 16, 2024
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.
XSS
WordPress does not properly restrict which user fields are searchable via the REST API
CVE-2023-5561
5.3 - Medium
- October 16, 2023
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
Exposure of Sensitive Information to an Unauthorized Actor in WordPress
CVE-2023-39999
4.3 - Medium
- October 13, 2023
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.
Information Disclosure
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulne
CVE-2023-38000
5.4 - Medium
- October 13, 2023
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.
XSS
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter
CVE-2023-2745
5.4 - Medium
- May 17, 2023
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
Directory traversal
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates
CVE-2023-22622
5.3 - Medium
- January 05, 2023
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.
WordPress is affected by an unauthenticated blind SSRF in the pingback feature
CVE-2022-3590
5.9 - Medium
- December 14, 2022
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
SSRF
Improper authentication vulnerability in WordPress versions prior to 6.0.3
CVE-2022-43504
5.3 - Medium
- December 05, 2022
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.
authentification
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3
CVE-2022-43500
6.1 - Medium
- December 05, 2022
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
XSS
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3
CVE-2022-43497
6.1 - Medium
- December 05, 2022
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
XSS
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts
CVE-2011-1762
6.5 - Medium
- April 18, 2022
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.
Incorrect Default Permissions
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
CVE-2022-21662
5.4 - Medium
- January 06, 2022
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
XSS
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
CVE-2022-21661
7.5 - High
- January 06, 2022
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
SQL Injection
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
CVE-2022-21664
8.8 - High
- January 06, 2022
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
SQL Injection
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
CVE-2022-21663
7.2 - High
- January 06, 2022
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
Marshaling, Unmarshaling
WordPress before 5.8 lacks support for the Update URI plugin header
CVE-2021-44223
9.8 - Critical
- November 25, 2021
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
CVE-2021-39203
6.5 - Medium
- September 09, 2021
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
CVE-2021-39202
5.4 - Medium
- September 09, 2021
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.
XSS
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
CVE-2021-39200
5.3 - Medium
- September 09, 2021
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
Information Disclosure
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
CVE-2021-39201
5.4 - Medium
- September 09, 2021
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)
XSS
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname
CVE-2020-36326
9.8 - Critical
- April 28, 2021
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Marshaling, Unmarshaling
Wordpress is an open source CMS
CVE-2021-29450
4.3 - Medium
- April 15, 2021
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
Information Disclosure
Wordpress is an open source CMS
CVE-2021-29447
6.5 - Medium
- April 15, 2021
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
XXE
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
CVE-2020-28032
9.8 - Critical
- November 02, 2020
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
Marshaling, Unmarshaling
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by
CVE-2020-28033
7.5 - High
- November 02, 2020
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
WordPress before 5.5.2
CVE-2020-28034
6.1 - Medium
- November 02, 2020
WordPress before 5.5.2 allows XSS associated with global variables.
XSS
WordPress before 5.5.2
CVE-2020-28035
9.8 - Critical
- November 02, 2020
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2
CVE-2020-28036
9.8 - Critical
- November 02, 2020
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
AuthZ
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might
CVE-2020-28037
9.8 - Critical
- November 02, 2020
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
Improper Check for Unusual or Exceptional Conditions
WordPress before 5.5.2
CVE-2020-28038
6.1 - Medium
- November 02, 2020
WordPress before 5.5.2 allows stored XSS via post slugs.
XSS
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2
CVE-2020-28039
9.1 - Critical
- November 02, 2020
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
WordPress before 5.5.2 allows CSRF attacks
CVE-2020-28040
4.3 - Medium
- November 02, 2020
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
Session Riding
In wp-includes/comment-template.php in WordPress before 5.4.2, comments
CVE-2020-25286
5.3 - Medium
- September 13, 2020
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.
In affected versions of WordPress, users with low privileges (like contributors and authors)
CVE-2020-4046
5.4 - Medium
- June 12, 2020
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
XSS
In affected versions of WordPress
CVE-2020-4047
6.8 - Medium
- June 12, 2020
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Basic XSS
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link
CVE-2020-4048
5.7 - Medium
- June 12, 2020
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Open Redirect
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way
CVE-2020-4049
2.4 - Low
- June 12, 2020
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
XSS
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved
CVE-2020-4050
3.1 - Low
- June 12, 2020
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Authentication Bypass Using an Alternate Path or Channel
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section
CVE-2020-11026
5.4 - Medium
- April 30, 2020
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
XSS
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password
CVE-2020-11027
8.1 - High
- April 30, 2020
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Operation on a Resource after Expiration or Release
In affected versions of WordPress, some private posts
CVE-2020-11028
7.5 - High
- April 30, 2020
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Missing Authentication for Critical Function
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php
CVE-2020-11029
6.1 - Medium
- April 30, 2020
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
XSS
In affected versions of WordPress, a special payload can be crafted
CVE-2020-11030
5.4 - Medium
- April 30, 2020
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
XSS
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer
CVE-2020-11025
5.4 - Medium
- April 30, 2020
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
XSS
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity
CVE-2019-20041
9.8 - Critical
- December 27, 2019
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
Improper Input Validation
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel()
CVE-2019-20042
6.1 - Medium
- December 27, 2019
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
XSS
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky
CVE-2019-20043
4.3 - Medium
- December 27, 2019
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.
Improper Privilege Management
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload
CVE-2019-16780
5.4 - Medium
- December 26, 2019
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
XSS
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor
CVE-2019-16781
5.4 - Medium
- December 26, 2019
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.
XSS
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability
CVE-2019-17669
9.8 - Critical
- October 17, 2019
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
SSRF
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability
CVE-2019-17670
9.8 - Critical
- October 17, 2019
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
SSRF
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible
CVE-2019-17671
5.3 - Medium
- October 17, 2019
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
Information Disclosure
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
CVE-2019-17672
6.1 - Medium
- October 17, 2019
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
XSS
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests
CVE-2019-17673
7.5 - High
- October 17, 2019
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting)
CVE-2019-17674
5.4 - Medium
- October 17, 2019
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
XSS
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages
CVE-2019-17675
8.8 - High
- October 17, 2019
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.
Session Riding
WordPress before 5.2.3
CVE-2019-16217
6.1 - Medium
- September 11, 2019
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
XSS
WordPress before 5.2.3
CVE-2019-16218
6.1 - Medium
- September 11, 2019
WordPress before 5.2.3 allows XSS in stored comments.
XSS
WordPress before 5.2.3
CVE-2019-16219
6.1 - Medium
- September 11, 2019
WordPress before 5.2.3 allows XSS in shortcode previews.
XSS
In WordPress before 5.2.3
CVE-2019-16220
6.1 - Medium
- September 11, 2019
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
Open Redirect
WordPress before 5.2.3
CVE-2019-16221
6.1 - Medium
- September 11, 2019
WordPress before 5.2.3 allows reflected XSS in the dashboard.
XSS
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php
CVE-2019-16222
6.1 - Medium
- September 11, 2019
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
XSS
WordPress before 5.2.3
CVE-2019-16223
5.4 - Medium
- September 11, 2019
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
XSS
WordPress before 5.1.1 does not properly filter comment content
CVE-2019-9787
8.8 - High
- March 14, 2019
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
Session Riding
WordPress before 4.9.9 and 5.x before 5.0.1
CVE-2019-8942
8.8 - High
- February 20, 2019
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
Code Injection
WordPress through 5.0.3 allows Path Traversal in wp_crop_image()
CVE-2019-8943
6.5 - Medium
- February 20, 2019
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
Directory traversal
In WordPress before 4.9.9 and 5.x before 5.0.1
CVE-2018-20147
6.5 - Medium
- December 14, 2018
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
AuthZ
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks
CVE-2018-20148
9.8 - Critical
- December 14, 2018
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.
Marshaling, Unmarshaling
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files
CVE-2018-20149
5.4 - Medium
- December 14, 2018
In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.
XSS
In WordPress before 4.9.9 and 5.x before 5.0.1
CVE-2018-20150
6.1 - Medium
- December 14, 2018
In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.
XSS
In WordPress before 4.9.9 and 5.x before 5.0.1
CVE-2018-20151
7.5 - High
- December 14, 2018
In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.
Information Disclosure
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types
CVE-2018-20152
6.5 - Medium
- December 14, 2018
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
Improper Input Validation
In WordPress before 4.9.9 and 5.x before 5.0.1
CVE-2018-20153
5.4 - Medium
- December 14, 2018
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.
XSS
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
CVE-2018-19296
8.8 - High
- November 16, 2018
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.
Marshaling, Unmarshaling
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing
CVE-2018-1000773
8.8 - High
- September 06, 2018
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.
Improper Input Validation
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files
CVE-2018-14028
7.2 - High
- August 10, 2018
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
Unrestricted File Upload
WordPress through 4.9.6
CVE-2018-12895
8.8 - High
- June 26, 2018
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
Directory traversal
Before WordPress 4.9.5
CVE-2018-10100
6.1 - Medium
- April 16, 2018
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
Open Redirect
Before WordPress 4.9.5
CVE-2018-10101
6.1 - Medium
- April 16, 2018
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
Open Redirect
Before WordPress 4.9.5
CVE-2018-10102
6.1 - Medium
- April 16, 2018
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
XSS
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (
CVE-2018-6389
7.5 - High
- February 06, 2018
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
Resource Exhaustion
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
CVE-2018-5776
6.1 - Medium
- January 18, 2018
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
XSS
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme
CVE-2017-5611
9.8 - Critical
- January 30, 2017
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.
SQL Injection
The isMail transport in PHPMailer before 5.2.20 might
CVE-2016-10045
9.8 - Critical
- December 30, 2016
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
Command Injection
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might
CVE-2016-10033
9.8 - Critical
- December 30, 2016
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
Argument Injection
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which
CVE-2016-4029
8.6 - High
- August 07, 2016
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.
SSRF
The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session
CVE-2012-1936
- May 03, 2012
The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations
Session Riding
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which
CVE-2012-0937
- January 30, 2012
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not limit the number of MySQL queries sent to external MySQL database servers, which allows remote attackers to use WordPress as a proxy for brute-force attacks or denial of service attacks via the dbhost parameter, a different vulnerability than CVE-2011-4898. NOTE: the vendor disputes the significance of this issue because an incomplete WordPress installation might be present on the network for only a short time
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier
CVE-2012-0782
- January 30, 2012
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance
XSS
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure
CVE-2011-4899
- January 30, 2012
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks
CVE-2011-4898
- January 30, 2012
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective
Information Disclosure
wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which
CVE-2008-5695
- December 19, 2008
wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins.
Improper Input Validation
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products
CVE-2008-4796
- October 30, 2008
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.
Shell injection
Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from
CVE-2007-6013
9.8 - Critical
- November 19, 2007
Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash.
Use of a Broken or Risky Cryptographic Algorithm