Vulnerabilities > Wordpress

DATE CVE VULNERABILITY TITLE RISK
2018-08-10 CVE-2018-14028 Unrestricted Upload of File with Dangerous Type vulnerability in Wordpress 4.9.7
In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files.
network
low complexity
wordpress CWE-434
7.2
2018-06-26 CVE-2018-12895 Path Traversal vulnerability in multiple products
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file.
network
low complexity
wordpress debian CWE-22
8.8
2018-04-16 CVE-2018-10102 Cross-site Scripting vulnerability in multiple products
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
network
low complexity
wordpress debian CWE-79
6.1
2018-04-16 CVE-2018-10101 Open Redirect vulnerability in multiple products
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
network
low complexity
wordpress debian CWE-601
6.1
2018-04-16 CVE-2018-10100 Open Redirect vulnerability in multiple products
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
network
low complexity
wordpress debian CWE-601
6.1
2018-04-12 CVE-2014-6412 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Wordpress
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
network
high complexity
wordpress CWE-640
8.1
2018-02-06 CVE-2018-6389 Resource Exhaustion vulnerability in Wordpress
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
network
low complexity
wordpress CWE-400
7.5
2018-01-18 CVE-2018-5776 Cross-site Scripting vulnerability in Wordpress
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
network
low complexity
wordpress CWE-79
6.1
2017-12-02 CVE-2017-17094 Cross-site Scripting vulnerability in multiple products
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
network
low complexity
wordpress debian CWE-79
5.4
2017-12-02 CVE-2017-17093 Cross-site Scripting vulnerability in multiple products
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.
network
low complexity
wordpress debian CWE-79
5.4