Vulnerabilities > Wordpress

DATE CVE VULNERABILITY TITLE RISK
2017-01-15 CVE-2017-5488 Cross-site Scripting vulnerability in Wordpress
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.
network
low complexity
wordpress CWE-79
6.1
2017-01-15 CVE-2017-5487 Information Exposure vulnerability in Wordpress
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
network
low complexity
wordpress CWE-200
5.3
2017-01-05 CVE-2016-7169 Path Traversal vulnerability in Wordpress
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.
network
low complexity
wordpress CWE-22
6.3
2017-01-05 CVE-2016-7168 Cross-site Scripting vulnerability in Wordpress
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
network
low complexity
wordpress CWE-79
4.8
2016-12-30 CVE-2016-10045 Command Injection vulnerability in multiple products
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP.
network
low complexity
phpmailer-project wordpress joomla CWE-77
critical
9.8
2016-12-30 CVE-2016-10033 Argument Injection or Modification vulnerability in multiple products
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
network
low complexity
phpmailer-project wordpress joomla CWE-88
critical
9.8
2016-08-07 CVE-2016-6635 Cross-Site Request Forgery (CSRF) vulnerability in Wordpress
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option.
network
low complexity
wordpress CWE-352
8.8
2016-08-07 CVE-2016-6634 Cross-site Scripting vulnerability in Wordpress
Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
low complexity
wordpress CWE-79
6.1
2016-08-07 CVE-2016-4029 Server-Side Request Forgery (SSRF) vulnerability in multiple products
WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.
network
low complexity
wordpress debian CWE-918
8.6
2016-06-29 CVE-2016-5839 Unspecified vulnerability in Wordpress
WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.
network
low complexity
wordpress
7.5