Vulnerabilities > Wordpress > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-09-23 CVE-2017-14726 Cross-site Scripting vulnerability in Wordpress
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
network
low complexity
wordpress CWE-79
6.1
6.1
2017-09-23 CVE-2017-14725 Open Redirect vulnerability in Wordpress
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.
network
low complexity
wordpress CWE-601
5.4
5.4
2017-09-23 CVE-2017-14724 Cross-site Scripting vulnerability in Wordpress
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
network
low complexity
wordpress CWE-79
6.1
6.1
2017-09-23 CVE-2017-14721 Cross-site Scripting vulnerability in Wordpress
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
network
low complexity
wordpress CWE-79
6.1
6.1
2017-09-23 CVE-2017-14720 Cross-site Scripting vulnerability in Wordpress
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
network
low complexity
wordpress CWE-79
6.1
6.1
2017-09-23 CVE-2017-14718 Cross-site Scripting vulnerability in Wordpress
Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.
network
low complexity
wordpress CWE-79
6.1
6.1
2017-05-18 CVE-2017-9063 Cross-site Scripting vulnerability in multiple products
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2017-05-18 CVE-2017-9061 Cross-site Scripting vulnerability in multiple products
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2017-05-04 CVE-2017-8295 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Wordpress
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server.
network
high complexity
wordpress CWE-640
5.9
5.9
2017-03-12 CVE-2017-6819 Cross-Site Request Forgery (CSRF) vulnerability in Wordpress
In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources.
network
low complexity
wordpress CWE-352
6.5
6.5