Vulnerabilities > Wordpress

DATE CVE VULNERABILITY TITLE RISK
2019-10-17 CVE-2019-17669 Server-Side Request Forgery (SSRF) vulnerability in multiple products
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.
network
low complexity
wordpress debian CWE-918
critical
 9.8
9.8
2019-09-11 CVE-2019-16223 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
network
low complexity
wordpress debian CWE-79
5.4
5.4
2019-09-11 CVE-2019-16222 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16221 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows reflected XSS in the dashboard.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16220 Open Redirect vulnerability in multiple products
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
network
low complexity
wordpress debian CWE-601
6.1
6.1
2019-09-11 CVE-2019-16219 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in shortcode previews.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16218 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in stored comments.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16217 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-05-22 CVE-2017-6514 Information Exposure vulnerability in Wordpress 4.7.2
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.
network
low complexity
wordpress CWE-200
5.0
5.0
2019-03-14 CVE-2019-9787 Cross-Site Request Forgery (CSRF) vulnerability in Wordpress
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration.
network
wordpress CWE-352
6.8
6.8