Total
577 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-9066 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.0 MEDIUM | 8.6 HIGH |
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. | |||||
CVE-2017-5611 | 3 Debian, Oracle, Wordpress | 3 Debian Linux, Data Integrator, Wordpress | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. | |||||
CVE-2016-6897 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. | |||||
CVE-2016-10045 | 3 Joomla, Phpmailer Project, Wordpress | 3 Joomla\!, Phpmailer, Wordpress | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. | |||||
CVE-2017-5491 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. | |||||
CVE-2017-5612 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. | |||||
CVE-2017-5493 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. | |||||
CVE-2017-9062 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.0 MEDIUM | 8.6 HIGH |
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | |||||
CVE-2017-6818 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. | |||||
CVE-2017-6815 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. | |||||
CVE-2017-6817 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. | |||||
CVE-2017-5489 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. | |||||
CVE-2016-6896 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.5 MEDIUM | 7.1 HIGH |
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. | |||||
CVE-2017-9065 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. | |||||
CVE-2016-7169 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.5 MEDIUM | 6.3 MEDIUM |
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. | |||||
CVE-2017-6816 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.5 MEDIUM | 4.9 MEDIUM |
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality. | |||||
CVE-2017-9064 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. | |||||
CVE-2017-9061 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. | |||||
CVE-2017-1001000 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. | |||||
CVE-2017-5490 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php. |