Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Wordpress
(Wordpress)| Repositories |
• https://github.com/WordPress/WordPress
• https://github.com/johndyer/mediaelement • https://github.com/moxiecode/moxieplayer • https://github.com/moxiecode/plupload |
| #Vulnerabilities | 349 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-06-12 | CVE-2020-4049 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34). | Debian_linux, Fedora, Wordpress | 2.4 | ||
| 2020-06-12 | CVE-2020-4050 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31,... | Debian_linux, Fedora, Wordpress | 3.1 | ||
| 2020-11-02 | CVE-2020-28032 | WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. | Debian_linux, Fedora, Wordpress | 9.8 | ||
| 2020-11-02 | CVE-2020-28033 | WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. | Debian_linux, Fedora, Wordpress | 7.5 | ||
| 2020-11-02 | CVE-2020-28034 | WordPress before 5.5.2 allows XSS associated with global variables. | Debian_linux, Fedora, Wordpress | 6.1 | ||
| 2020-11-02 | CVE-2020-28035 | WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC. | Debian_linux, Fedora, Wordpress | 9.8 | ||
| 2020-11-02 | CVE-2020-28036 | wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post. | Debian_linux, Fedora, Wordpress | 9.8 | ||
| 2020-11-02 | CVE-2020-28037 | is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation). | Debian_linux, Fedora, Wordpress | 9.8 | ||
| 2020-11-02 | CVE-2020-28038 | WordPress before 5.5.2 allows stored XSS via post slugs. | Debian_linux, Fedora, Wordpress | 6.1 | ||
| 2020-11-02 | CVE-2020-28039 | is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. | Ubuntu_linux, Debian_linux, Wordpress | 9.1 |