Vulnerabilities > Wordpress

DATE CVE VULNERABILITY TITLE RISK
2020-11-02 CVE-2020-28037 Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
network
low complexity
wordpress fedoraproject debian CWE-754
critical
9.8
2020-11-02 CVE-2020-28036 Missing Authorization vulnerability in multiple products
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
network
low complexity
wordpress fedoraproject debian CWE-862
critical
9.8
2020-11-02 CVE-2020-28035 WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
network
low complexity
wordpress fedoraproject debian
critical
9.8
2020-11-02 CVE-2020-28034 Cross-site Scripting vulnerability in multiple products
WordPress before 5.5.2 allows XSS associated with global variables.
network
low complexity
wordpress fedoraproject debian CWE-79
6.1
2020-11-02 CVE-2020-28033 WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
network
low complexity
wordpress fedoraproject debian
7.5
2020-11-02 CVE-2020-28032 Deserialization of Untrusted Data vulnerability in multiple products
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
network
low complexity
wordpress fedoraproject debian CWE-502
critical
9.8
2020-09-13 CVE-2020-25286 Unspecified vulnerability in Wordpress
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.
network
low complexity
wordpress
5.0
2020-06-12 CVE-2020-4050 Authentication Bypass Using an Alternate Path or Channel vulnerability in multiple products
In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved.
network
high complexity
wordpress fedoraproject debian CWE-288
3.1
2020-06-12 CVE-2020-4049 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in multiple products
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page.
network
low complexity
wordpress fedoraproject debian CWE-80
2.4
2020-06-12 CVE-2020-4048 Open Redirect vulnerability in multiple products
In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked.
network
low complexity
wordpress fedoraproject debian CWE-601
5.7