Vulnerabilities > Wordpress > Medium

DATE CVE VULNERABILITY TITLE RISK
2019-12-26 CVE-2019-16781 Cross-site Scripting vulnerability in multiple products
In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard.
network
low complexity
wordpress debian CWE-79
5.4
2019-12-26 CVE-2019-16780 Cross-site Scripting vulnerability in multiple products
WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard.
network
low complexity
wordpress debian CWE-79
5.4
2019-10-17 CVE-2019-17674 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.
network
low complexity
wordpress debian CWE-79
5.4
2019-10-17 CVE-2019-17672 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.
network
low complexity
wordpress debian CWE-79
6.1
2019-10-17 CVE-2019-17671 Information Exposure vulnerability in multiple products
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
network
low complexity
wordpress debian CWE-200
5.3
2019-09-11 CVE-2019-16223 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
network
low complexity
wordpress debian CWE-79
5.4
2019-09-11 CVE-2019-16222 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
network
low complexity
wordpress debian CWE-79
6.1
2019-09-11 CVE-2019-16221 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows reflected XSS in the dashboard.
network
low complexity
wordpress debian CWE-79
6.1
2019-09-11 CVE-2019-16220 Open Redirect vulnerability in multiple products
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
network
low complexity
wordpress debian CWE-601
6.1
2019-09-11 CVE-2019-16219 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in shortcode previews.
network
low complexity
wordpress debian CWE-79
6.1