Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Wordpress
(Wordpress)| Repositories |
• https://github.com/WordPress/WordPress
• https://github.com/johndyer/mediaelement • https://github.com/moxiecode/moxieplayer • https://github.com/moxiecode/plupload |
| #Vulnerabilities | 349 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-04-30 | CVE-2020-11027 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | Debian_linux, Wordpress | 8.1 | ||
| 2020-04-30 | CVE-2020-11026 | In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | Debian_linux, Wordpress | 5.4 | ||
| 2020-04-30 | CVE-2020-11029 | In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). | Debian_linux, Wordpress | 6.1 | ||
| 2019-10-17 | CVE-2019-17669 | WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. | Debian_linux, Wordpress | 9.8 | ||
| 2019-10-17 | CVE-2019-17671 | In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. | Debian_linux, Wordpress | 5.3 | ||
| 2019-10-17 | CVE-2019-17672 | WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. | Debian_linux, Wordpress | 6.1 | ||
| 2019-10-17 | CVE-2019-17674 | WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. | Debian_linux, Wordpress | 5.4 | ||
| 2019-10-17 | CVE-2019-17675 | WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. | Debian_linux, Wordpress | 8.8 | ||
| 2022-12-05 | CVE-2022-43497 | Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. | Wordpress | 6.1 | ||
| 2022-12-05 | CVE-2022-43500 | Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. | Wordpress | 6.1 |