Vulnerabilities > Wordpress > Low
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-12-02 | CVE-2017-17094 | Cross-site Scripting vulnerability in Wordpress wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. | 3.5 |
| 2017-10-12 | CVE-2016-9263 | Improper Input Validation vulnerability in Wordpress WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. | 2.6 |
| 2017-03-12 | CVE-2017-6814 | Cross-site Scripting vulnerability in Wordpress In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. | 3.5 |
| 2017-03-12 | CVE-2017-6817 | Cross-site Scripting vulnerability in Wordpress In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. | 3.5 |
| 2017-01-05 | CVE-2016-7168 | Cross-site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. | 3.5 |
| 2016-05-22 | CVE-2015-7989 | Cross-site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714. | 3.5 |
| 2015-08-03 | CVE-2015-5622 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php. | 3.5 |
| 2014-08-18 | CVE-2014-5240 | Cross-Site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL. | 2.1 |
| 2014-01-21 | CVE-2010-5297 | Permissions, Privileges, and Access Controls vulnerability in Wordpress WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. | 2.1 |
| 2013-09-12 | CVE-2013-4340 | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. | 3.5 |