Vulnerabilities > Wordpress > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-01-18 | CVE-2016-6896 | Path Traversal vulnerability in Wordpress 4.5.3 Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. | 7.1 |
| 2017-01-15 | CVE-2017-5493 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Wordpress wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup. | 7.5 |
| 2017-01-15 | CVE-2017-5492 | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php. | 8.8 |
| 2017-01-15 | CVE-2017-5489 | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload. | 8.8 |
| 2016-08-07 | CVE-2016-6635 | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. | 8.8 |
| 2016-08-07 | CVE-2016-4029 | Server-Side Request Forgery (SSRF) vulnerability in multiple products WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. | 8.6 |
| 2016-06-29 | CVE-2016-5839 | Unspecified vulnerability in Wordpress WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. | 7.5 |
| 2016-06-29 | CVE-2016-5838 | Credentials Management vulnerability in Wordpress WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. | 7.5 |
| 2016-06-29 | CVE-2016-5837 | Unspecified vulnerability in Wordpress WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. | 7.5 |
| 2016-06-29 | CVE-2016-5836 | Unspecified vulnerability in Wordpress The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. | 7.5 |