Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Wordpress
(Wordpress)| Repositories |
• https://github.com/WordPress/WordPress
• https://github.com/johndyer/mediaelement • https://github.com/moxiecode/moxieplayer • https://github.com/moxiecode/plupload |
| #Vulnerabilities | 351 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-09-23 | CVE-2017-14721 | Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. | Wordpress | 6.1 | ||
| 2017-09-23 | CVE-2017-14720 | Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. | Wordpress | 6.1 | ||
| 2017-09-23 | CVE-2017-14719 | Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. | Wordpress | 7.5 | ||
| 2017-09-23 | CVE-2017-14718 | Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. | Wordpress | 6.1 | ||
| 2018-09-06 | CVE-2017-1000600 | WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 | Wordpress | 8.8 | ||
| 2017-10-12 | CVE-2016-9263 | WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. | Wordpress | 4.7 | ||
| 2017-01-05 | CVE-2016-7169 | Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. | Wordpress | 6.3 | ||
| 2017-01-05 | CVE-2016-7168 | Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. | Wordpress | 4.8 | ||
| 2017-01-18 | CVE-2016-6897 | Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. | Wordpress | 6.5 | ||
| 2017-01-18 | CVE-2016-6896 | Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. | Wordpress | 7.1 |