Vulnerabilities (CVE)

Filtered by vendor Wordpress Subscribe
Filtered by product Wordpress
Total 578 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-16780 2 Debian, Wordpress 2 Debian Linux, Wordpress 2022-11-23 3.5 LOW 5.4 MEDIUM
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.
CVE-2019-20041 2 Debian, Wordpress 2 Debian Linux, Wordpress 2022-11-23 7.5 HIGH 9.8 CRITICAL
wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.
CVE-2019-17670 2 Debian, Wordpress 2 Debian Linux, Wordpress 2022-11-07 7.5 HIGH 9.8 CRITICAL
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
CVE-2021-29447 2 Debian, Wordpress 2 Debian Linux, Wordpress 2022-10-27 4.0 MEDIUM 6.5 MEDIUM
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
CVE-2020-35539 1 Wordpress 1 Wordpress 2022-10-19 N/A 9.8 CRITICAL
A flaw was found in Wordpress 5.1. "X-Forwarded-For" is a HTTP header used to carry the client's original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X-Forwarded-For header instead of original IP, various issues may be faced. If the data originating from these fields is trusted by the application developers and processed, any authorization checks originating IP address logging could be manipulated.
CVE-2019-16223 2 Debian, Wordpress 2 Debian Linux, Wordpress 2022-10-07 3.5 LOW 5.4 MEDIUM
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
CVE-2014-2265 2 Rocklobster, Wordpress 2 Contact Form 7, Wordpress 2022-09-27 5.0 MEDIUM N/A
Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter.
CVE-2021-39203 1 Wordpress 1 Wordpress 2022-08-05 6.0 MEDIUM 6.5 MEDIUM
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.
CVE-2022-21663 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-07-28 6.5 MEDIUM 7.2 HIGH
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
CVE-2020-28039 3 Canonical, Debian, Wordpress 3 Ubuntu Linux, Debian Linux, Wordpress 2022-06-29 6.4 MEDIUM 9.1 CRITICAL
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
CVE-2020-28040 3 Canonical, Debian, Wordpress 3 Ubuntu Linux, Debian Linux, Wordpress 2022-06-29 4.3 MEDIUM 4.3 MEDIUM
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
CVE-2020-28034 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-06-29 4.3 MEDIUM 6.1 MEDIUM
WordPress before 5.5.2 allows XSS associated with global variables.
CVE-2020-28038 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-06-29 4.3 MEDIUM 6.1 MEDIUM
WordPress before 5.5.2 allows stored XSS via post slugs.
CVE-2020-28032 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-06-29 7.5 HIGH 9.8 CRITICAL
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
CVE-2020-28033 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-06-29 5.0 MEDIUM 7.5 HIGH
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
CVE-2020-28036 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-04-28 7.5 HIGH 9.8 CRITICAL
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
CVE-2020-28037 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-04-28 7.5 HIGH 9.8 CRITICAL
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
CVE-2020-28035 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-04-28 7.5 HIGH 9.8 CRITICAL
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
CVE-2011-1762 1 Wordpress 1 Wordpress 2022-04-25 4.0 MEDIUM 6.5 MEDIUM
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.
CVE-2022-21664 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-04-12 6.5 MEDIUM 8.8 HIGH
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.