Vulnerabilities > Wordpress > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-09-11 | CVE-2019-16218 | Cross-site Scripting vulnerability in multiple products WordPress before 5.2.3 allows XSS in stored comments. | 6.1 |
2019-09-11 | CVE-2019-16217 | Cross-site Scripting vulnerability in multiple products WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. | 6.1 |
2019-05-22 | CVE-2017-6514 | Information Exposure vulnerability in Wordpress 4.7.2 WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring. | 5.3 |
2019-02-20 | CVE-2019-8943 | Path Traversal vulnerability in Wordpress WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). | 6.5 |
2018-12-14 | CVE-2018-20153 | Cross-site Scripting vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. | 5.4 |
2018-12-14 | CVE-2018-20152 | Improper Input Validation vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. | 6.5 |
2018-12-14 | CVE-2018-20150 | Cross-site Scripting vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. | 6.1 |
2018-12-14 | CVE-2018-20149 | Cross-site Scripting vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. | 5.4 |
2018-12-14 | CVE-2018-20147 | Incorrect Authorization vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. | 6.5 |
2018-04-16 | CVE-2018-10102 | Cross-site Scripting vulnerability in multiple products Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | 6.1 |