Vulnerabilities > Wordpress > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-09-13 CVE-2020-25286 Unspecified vulnerability in Wordpress
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.
network
low complexity
wordpress
5.3
2020-06-12 CVE-2020-4048 In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked.
network
low complexity
wordpress fedoraproject debian
5.7
2020-06-12 CVE-2020-4047 In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way.
network
low complexity
wordpress fedoraproject debian
6.8
2020-06-12 CVE-2020-4046 Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor.
network
low complexity
wordpress debian fedoraproject CWE-79
5.4
2020-04-30 CVE-2020-11030 Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor.
network
low complexity
wordpress debian CWE-79
5.4
2020-04-30 CVE-2020-11029 Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks.
network
low complexity
debian wordpress CWE-79
6.1
2020-04-30 CVE-2020-11026 Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file.
network
low complexity
wordpress debian CWE-79
5.4
2020-04-30 CVE-2020-11025 Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed.
network
low complexity
wordpress debian CWE-79
5.4
2019-12-27 CVE-2019-20043 Improper Privilege Management vulnerability in multiple products
In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API.
network
low complexity
wordpress debian CWE-269
4.3
2019-12-27 CVE-2019-20042 Cross-site Scripting vulnerability in multiple products
In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability.
network
low complexity
wordpress debian CWE-79
6.1