Vulnerabilities > Wordpress

DATE CVE VULNERABILITY TITLE RISK
2019-09-11 CVE-2019-16222 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16221 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows reflected XSS in the dashboard.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16220 Open Redirect vulnerability in multiple products
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
network
low complexity
wordpress debian CWE-601
6.1
6.1
2019-09-11 CVE-2019-16219 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in shortcode previews.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16218 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in stored comments.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16217 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-05-22 CVE-2017-6514 Information Exposure vulnerability in Wordpress 4.7.2
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.
network
low complexity
wordpress CWE-200
5.3
5.3
2019-03-14 CVE-2019-9787 Cross-Site Request Forgery (CSRF) vulnerability in Wordpress
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration.
network
low complexity
wordpress CWE-352
8.8
8.8
2019-02-20 CVE-2019-8943 Path Traversal vulnerability in Wordpress
WordPress through 5.0.3 allows Path Traversal in wp_crop_image().
network
low complexity
wordpress CWE-22
6.5
6.5
2019-02-20 CVE-2019-8942 Unrestricted Upload of File with Dangerous Type vulnerability in multiple products
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring.
network
low complexity
wordpress debian CWE-434
8.8
8.8