Filtered by vendor Wordpress
Subscribe
Total
620 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-6819 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This. | |||||
CVE-2016-7168 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 3.5 LOW | 4.8 MEDIUM |
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. | |||||
CVE-2017-5610 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. | |||||
CVE-2017-5488 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin. | |||||
CVE-2017-5487 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request. | |||||
CVE-2017-9066 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.0 MEDIUM | 8.6 HIGH |
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. | |||||
CVE-2017-5611 | 3 Debian, Oracle, Wordpress | 3 Debian Linux, Data Integrator, Wordpress | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. | |||||
CVE-2016-6897 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. | |||||
CVE-2016-10045 | 3 Joomla, Phpmailer Project, Wordpress | 3 Joomla\!, Phpmailer, Wordpress | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. | |||||
CVE-2017-5491 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name. | |||||
CVE-2017-5612 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. | |||||
CVE-2017-5493 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. | |||||
CVE-2017-9062 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.0 MEDIUM | 8.6 HIGH |
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | |||||
CVE-2017-6818 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. | |||||
CVE-2017-6815 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. | |||||
CVE-2017-6817 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. | |||||
CVE-2017-5489 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. | |||||
CVE-2016-6896 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 5.5 MEDIUM | 7.1 HIGH |
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. | |||||
CVE-2017-9065 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. | |||||
CVE-2016-7169 | 1 Wordpress | 1 Wordpress | 2023-12-10 | 6.5 MEDIUM | 6.3 MEDIUM |
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. |