Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Wordpress
(Wordpress)| Repositories |
• https://github.com/WordPress/WordPress
• https://github.com/johndyer/mediaelement • https://github.com/moxiecode/moxieplayer • https://github.com/moxiecode/plupload |
| #Vulnerabilities | 351 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-09-23 | CVE-2017-14723 | Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. | Wordpress | 9.8 | ||
| 2017-09-23 | CVE-2017-14722 | Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. | Wordpress | 7.5 | ||
| 2017-09-23 | CVE-2017-14721 | Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. | Wordpress | 6.1 | ||
| 2017-09-23 | CVE-2017-14720 | Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. | Wordpress | 6.1 | ||
| 2017-09-23 | CVE-2017-14719 | Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. | Wordpress | 7.5 | ||
| 2017-09-23 | CVE-2017-14718 | Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. | Wordpress | 6.1 | ||
| 2018-09-06 | CVE-2017-1000600 | WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 | Wordpress | 8.8 | ||
| 2017-10-12 | CVE-2016-9263 | WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. | Wordpress | 4.7 | ||
| 2017-01-05 | CVE-2016-7169 | Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. | Wordpress | 6.3 | ||
| 2017-01-05 | CVE-2016-7168 | Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. | Wordpress | 4.8 |