Vulnerabilities > Wordpress > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-11 | CVE-2019-16220 | Open Redirect vulnerability in multiple products In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash. | 6.1 |
| 2019-09-11 | CVE-2019-16219 | Cross-site Scripting vulnerability in multiple products WordPress before 5.2.3 allows XSS in shortcode previews. | 6.1 |
| 2019-09-11 | CVE-2019-16218 | Cross-site Scripting vulnerability in multiple products WordPress before 5.2.3 allows XSS in stored comments. | 6.1 |
| 2019-09-11 | CVE-2019-16217 | Cross-site Scripting vulnerability in multiple products WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. | 6.1 |
| 2019-05-22 | CVE-2017-6514 | Information Exposure vulnerability in Wordpress 4.7.2 WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring. | 5.3 |
| 2019-02-20 | CVE-2019-8943 | Path Traversal vulnerability in Wordpress WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). | 6.5 |
| 2018-12-14 | CVE-2018-20153 | Cross-site Scripting vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. | 5.4 |
| 2018-12-14 | CVE-2018-20152 | Improper Input Validation vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. | 6.5 |
| 2018-12-14 | CVE-2018-20150 | Cross-site Scripting vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. | 6.1 |
| 2018-12-14 | CVE-2018-20149 | Cross-site Scripting vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. | 5.4 |