Date Id Summary Products Score Patch Annotated
2018-11-16 CVE-2018-19296 PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. Debian_linux, Fedora, Phpmailer, Wordpress 8.8
2019-12-26 CVE-2019-16780 WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly... Debian_linux, Wordpress 5.4
2019-12-27 CVE-2019-20041 wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring. Debian_linux, Wordpress 9.8
2019-10-17 CVE-2019-17670 WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. Debian_linux, Wordpress 9.8
2021-04-15 CVE-2021-29447 Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled. Debian_linux, Wordpress 6.5
2022-10-17 CVE-2020-35539 A flaw was found in Wordpress 5.1. "X-Forwarded-For" is a HTTP header used to carry the client's original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X-Forwarded-For header instead of original IP, various issues may be faced. If the data originating from these fields is trusted by the application developers and processed, any authorization checks originating IP address logging... Wordpress 9.8
2019-09-11 CVE-2019-16223 WordPress before 5.2.3 allows XSS in post previews by authenticated users. Debian_linux, Wordpress 5.4
2021-09-09 CVE-2021-39203 WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release. Wordpress 6.5
2022-01-06 CVE-2022-21663 WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. Debian_linux, Fedora, Wordpress 7.2
2020-11-02 CVE-2020-28038 WordPress before 5.5.2 allows stored XSS via post slugs. Debian_linux, Fedora, Wordpress 6.1