WordPress Blog Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in WordPress.
WordPress EOL Dates
Ensure that you are using a supported version of WordPress. Here are some end of life, and end of support dates for WordPress.
| Release | EOL Date | Status |
|---|---|---|
| 6.8 | - |
Active
|
| 6.7 | April 15, 2025 |
EOL
WordPress 6.7 became EOL in 2025. |
| 6.6 | November 12, 2024 |
EOL
WordPress 6.6 became EOL in 2024. |
| 6.5 | July 16, 2024 |
EOL
WordPress 6.5 became EOL in 2024. |
| 6.4 | April 2, 2024 |
EOL
WordPress 6.4 became EOL in 2024. |
| 6.3 | November 7, 2023 |
EOL
WordPress 6.3 became EOL in 2023. |
| 6.2 | August 8, 2023 |
EOL
WordPress 6.2 became EOL in 2023. |
| 6.1 | March 29, 2023 |
EOL
WordPress 6.1 became EOL in 2023. |
| 6.0 | November 1, 2022 |
EOL
WordPress 6.0 became EOL in 2022. |
| 5.9 | May 24, 2022 |
EOL
WordPress 5.9 became EOL in 2022. |
| 5.8 | January 25, 2022 |
EOL
WordPress 5.8 became EOL in 2022. |
| 5.7 | July 20, 2021 |
EOL
WordPress 5.7 became EOL in 2021. |
| 5.6 | March 9, 2021 |
EOL
WordPress 5.6 became EOL in 2021. |
| 5.5 | December 8, 2020 |
EOL
WordPress 5.5 became EOL in 2020. |
| 5.4 | August 11, 2020 |
EOL
WordPress 5.4 became EOL in 2020. |
| 5.3 | March 31, 2020 |
EOL
WordPress 5.3 became EOL in 2020. |
| 5.2 | November 12, 2019 |
EOL
WordPress 5.2 became EOL in 2019. |
| 5.1 | May 7, 2019 |
EOL
WordPress 5.1 became EOL in 2019. |
| 5.0 | February 21, 2019 |
EOL
WordPress 5.0 became EOL in 2019. |
| 4.9 | December 6, 2018 |
EOL
WordPress 4.9 became EOL in 2018. |
By the Year
In 2025 there have been 0 vulnerabilities in WordPress. Last year, in 2024 WordPress had 7 security vulnerabilities published. Right now, WordPress is on track to have less security vulnerabilities in 2025 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 7 | 6.18 |
| 2023 | 5 | 5.14 |
| 2022 | 9 | 6.53 |
| 2021 | 8 | 6.63 |
| 2020 | 21 | 6.61 |
| 2019 | 22 | 6.81 |
| 2018 | 16 | 7.04 |
It may take a day or so for new WordPress vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent WordPress Security Vulnerabilities
WordPress Plugin '??????? ??????? ??????? ???? ????': Reflected XSS Vulnerability
CVE-2024-11331
6.1 - Medium
- December 20, 2024
The ??????? ??????? ??????? ???? ???? plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
XSS
WordPress Plugin 'Add infos to the events calendar' Stored XSS Vulnerability in 'fuss' Shortcode
CVE-2024-11875
6.4 - Medium
- December 12, 2024
The Add infos to the events calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fuss' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
WordPress Support SVG Plugin: Stored XSS via REST API SVG File Uploads
CVE-2024-11091
6.4 - Medium
- November 26, 2024
The Support SVG Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
XSS
Stored XSS Vulnerability in WordPress Plugin ???? ????? via mnp_purchase Shortcode
CVE-2024-11231
6.4 - Medium
- November 23, 2024
The ???? ????? plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mnp_purchase shortcode in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
Stored XSS Vulnerability in WordPress Plugin ??? ??? via Shortcodes
CVE-2024-11229
6.4 - Medium
- November 23, 2024
The ???? ??? plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's add_plus_friends and add_plus_talk shortcodes in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
WordPress Bard Theme Reflected XSS Vulnerability in URL Parameter Handling
CVE-2024-9830
- November 19, 2024
The Bard theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.216. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
XSS
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting
CVE-2022-4973
5.4 - Medium
- October 16, 2024
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.
XSS
WordPress does not properly restrict which user fields are searchable via the REST API
CVE-2023-5561
5.3 - Medium
- October 16, 2023
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
Exposure of Sensitive Information to an Unauthorized Actor in WordPress
CVE-2023-39999
4.3 - Medium
- October 13, 2023
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.
Information Disclosure
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulne
CVE-2023-38000
5.4 - Medium
- October 13, 2023
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.
XSS
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter
CVE-2023-2745
5.4 - Medium
- May 17, 2023
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
Directory traversal
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates
CVE-2023-22622
5.3 - Medium
- January 05, 2023
WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.
WordPress is affected by an unauthenticated blind SSRF in the pingback feature
CVE-2022-3590
5.9 - Medium
- December 14, 2022
WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
TOCTTOU
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3
CVE-2022-43497
6.1 - Medium
- December 05, 2022
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
XSS
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3
CVE-2022-43500
6.1 - Medium
- December 05, 2022
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
XSS
Improper authentication vulnerability in WordPress versions prior to 6.0.3
CVE-2022-43504
5.3 - Medium
- December 05, 2022
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.
authentification
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts
CVE-2011-1762
6.5 - Medium
- April 18, 2022
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.
Incorrect Default Permissions
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
CVE-2022-21663
7.2 - High
- January 06, 2022
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
Marshaling, Unmarshaling
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
CVE-2022-21664
8.8 - High
- January 06, 2022
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
SQL Injection
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
CVE-2022-21661
7.5 - High
- January 06, 2022
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.
SQL Injection
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database
CVE-2022-21662
5.4 - Medium
- January 06, 2022
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
XSS
WordPress before 5.8 lacks support for the Update URI plugin header
CVE-2021-44223
9.8 - Critical
- November 25, 2021
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
CVE-2021-39201
5.4 - Medium
- September 09, 2021
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)
XSS
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
CVE-2021-39200
5.3 - Medium
- September 09, 2021
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
Information Disclosure
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
CVE-2021-39202
5.4 - Medium
- September 09, 2021
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.
XSS
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database
CVE-2021-39203
6.5 - Medium
- September 09, 2021
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname
CVE-2020-36326
9.8 - Critical
- April 28, 2021
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Marshaling, Unmarshaling
Wordpress is an open source CMS
CVE-2021-29450
4.3 - Medium
- April 15, 2021
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
Information Disclosure
Wordpress is an open source CMS
CVE-2021-29447
6.5 - Medium
- April 15, 2021
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
XXE
WordPress before 5.5.2 allows CSRF attacks
CVE-2020-28040
4.3 - Medium
- November 02, 2020
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
Session Riding
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2
CVE-2020-28039
9.1 - Critical
- November 02, 2020
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
WordPress before 5.5.2
CVE-2020-28038
6.1 - Medium
- November 02, 2020
WordPress before 5.5.2 allows stored XSS via post slugs.
XSS
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might
CVE-2020-28037
9.8 - Critical
- November 02, 2020
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
Improper Check for Unusual or Exceptional Conditions
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2
CVE-2020-28036
9.8 - Critical
- November 02, 2020
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
AuthZ
WordPress before 5.5.2
CVE-2020-28035
9.8 - Critical
- November 02, 2020
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
WordPress before 5.5.2
CVE-2020-28034
6.1 - Medium
- November 02, 2020
WordPress before 5.5.2 allows XSS associated with global variables.
XSS
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by
CVE-2020-28033
7.5 - High
- November 02, 2020
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
CVE-2020-28032
9.8 - Critical
- November 02, 2020
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
Marshaling, Unmarshaling
In wp-includes/comment-template.php in WordPress before 5.4.2, comments
CVE-2020-25286
5.3 - Medium
- September 13, 2020
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link
CVE-2020-4048
5.7 - Medium
- June 12, 2020
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Open Redirect
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way
CVE-2020-4049
2.4 - Low
- June 12, 2020
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
XSS
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved
CVE-2020-4050
3.1 - Low
- June 12, 2020
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Authentication Bypass Using an Alternate Path or Channel
In affected versions of WordPress, users with low privileges (like contributors and authors)
CVE-2020-4046
5.4 - Medium
- June 12, 2020
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
XSS
In affected versions of WordPress
CVE-2020-4047
6.8 - Medium
- June 12, 2020
In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).
Basic XSS
In affected versions of WordPress, a special payload can be crafted
CVE-2020-11030
5.4 - Medium
- April 30, 2020
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
XSS
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php
CVE-2020-11029
6.1 - Medium
- April 30, 2020
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
XSS
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password
CVE-2020-11027
8.1 - High
- April 30, 2020
In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Operation on a Resource after Expiration or Release
In affected versions of WordPress, some private posts
CVE-2020-11028
7.5 - High
- April 30, 2020
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
Missing Authentication for Critical Function
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section
CVE-2020-11026
5.4 - Medium
- April 30, 2020
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
XSS
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer
CVE-2020-11025
5.4 - Medium
- April 30, 2020
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).
XSS
