Vulnerabilities > Wordpress > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-02-06 | CVE-2018-6389 | Resource Exhaustion vulnerability in Wordpress In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. | 7.5 |
| 2017-12-02 | CVE-2017-17091 | Use of Insufficiently Random Values vulnerability in Wordpress wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. | 8.8 |
| 2017-10-19 | CVE-2012-6707 | Inadequate Encryption Strength vulnerability in Wordpress WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. | 7.5 |
| 2017-09-23 | CVE-2017-14722 | Path Traversal vulnerability in Wordpress Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. | 7.5 |
| 2017-09-23 | CVE-2017-14719 | Path Traversal vulnerability in Wordpress Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. | 7.5 |
| 2017-05-18 | CVE-2017-9066 | Server-Side Request Forgery (SSRF) vulnerability in multiple products In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. | 8.6 |
| 2017-05-18 | CVE-2017-9065 | Improper Input Validation vulnerability in multiple products In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. | 7.5 |
| 2017-05-18 | CVE-2017-9064 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. | 8.8 |
| 2017-05-18 | CVE-2017-9062 | Open Redirect vulnerability in multiple products In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | 8.6 |
| 2017-04-03 | CVE-2017-1001000 | Unspecified vulnerability in Wordpress 4.7/4.7.1/4.7.2 The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. | 7.5 |