Filtered by vendor Wordpress
Subscribe
Search
Total
86 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-6818 | 1 Wordpress | 1 Wordpress | 2019-03-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. | |||||
| CVE-2017-9061 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. | |||||
| CVE-2017-9063 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-15 | 4.3 MEDIUM | 6.1 MEDIUM |
| In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. | |||||
| CVE-2018-10101 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-07 | 5.8 MEDIUM | 6.1 MEDIUM |
| Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. | |||||
| CVE-2018-20152 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. | |||||
| CVE-2018-20153 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-04 | 3.5 LOW | 5.4 MEDIUM |
| In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. | |||||
| CVE-2018-20150 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. | |||||
| CVE-2018-20149 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2019-03-04 | 3.5 LOW | 5.4 MEDIUM |
| In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. | |||||
| CVE-2018-10102 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2018-05-18 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | |||||
| CVE-2018-10100 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2018-05-18 | 5.8 MEDIUM | 6.1 MEDIUM |
| Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. | |||||
| CVE-2018-5776 | 1 Wordpress | 1 Wordpress | 2018-02-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). | |||||
| CVE-2017-14725 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.9 MEDIUM | 5.4 MEDIUM |
| Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. | |||||
| CVE-2017-14726 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor. | |||||
| CVE-2017-14724 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. | |||||
| CVE-2017-14721 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. | |||||
| CVE-2017-14720 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. | |||||
| CVE-2017-14718 | 1 Wordpress | 1 Wordpress | 2017-11-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. | |||||
| CVE-2016-1564 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. | |||||
| CVE-2015-7989 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714. | |||||
| CVE-2015-5715 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.0 MEDIUM | 4.3 MEDIUM |
| The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors. | |||||
| CVE-2016-7169 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. | |||||
| CVE-2016-7168 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. | |||||
| CVE-2016-6634 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-5714 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. | |||||
| CVE-2017-5490 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php. | |||||
| CVE-2017-5488 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin. | |||||
| CVE-2017-8295 | 1 Wordpress | 1 Wordpress | 2017-11-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message. | |||||
| CVE-2016-9263 | 1 Wordpress | 1 Wordpress | 2017-10-26 | 2.6 LOW | 4.7 MEDIUM |
| WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. | |||||
| CVE-2016-6897 | 1 Wordpress | 1 Wordpress | 2017-09-03 | 4.3 MEDIUM | 6.5 MEDIUM |
| Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. | |||||
| CVE-2017-5487 | 1 Wordpress | 1 Wordpress | 2017-09-01 | 5.0 MEDIUM | 5.3 MEDIUM |
| wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. | |||||
| CVE-2016-10148 | 1 Wordpress | 1 Wordpress | 2017-03-16 | 4.0 MEDIUM | 4.3 MEDIUM |
| The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896. | |||||
| CVE-2016-4567 | 2 Mediaelementjs, Wordpress | 2 Mediaelement.js, Wordpress | 2016-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." | |||||
| CVE-2016-4566 | 2 Plupload, Wordpress | 2 Plupload, Wordpress | 2016-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. | |||||
| CVE-2016-5833 | 1 Wordpress | 1 Wordpress | 2016-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. | |||||
| CVE-2016-5834 | 1 Wordpress | 1 Wordpress | 2016-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. | |||||
| CVE-2015-8834 | 1 Wordpress | 1 Wordpress | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440. | |||||