Vulnerabilities > Wordpress > Medium

DATE CVE VULNERABILITY TITLE RISK
2017-01-15 CVE-2017-5487 Information Exposure vulnerability in Wordpress
wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.
network
low complexity
wordpress CWE-200
5.3
2017-01-05 CVE-2016-7169 Path Traversal vulnerability in Wordpress
Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.
network
low complexity
wordpress CWE-22
6.3
2017-01-05 CVE-2016-7168 Cross-site Scripting vulnerability in Wordpress
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
network
low complexity
wordpress CWE-79
4.8
2016-08-07 CVE-2016-6634 Cross-site Scripting vulnerability in Wordpress
Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
network
low complexity
wordpress CWE-79
6.1
2016-06-29 CVE-2016-5834 Cross-site Scripting vulnerability in Wordpress
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.
network
low complexity
wordpress CWE-79
6.1
2016-06-29 CVE-2016-5833 Cross-site Scripting vulnerability in Wordpress
Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.
network
low complexity
wordpress CWE-79
6.1
2016-05-22 CVE-2016-4567 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
network
low complexity
mediaelementjs wordpress CWE-79
6.1
2016-05-22 CVE-2016-4566 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.
network
low complexity
wordpress plupload CWE-79
6.1
2016-05-22 CVE-2016-1564 Cross-site Scripting vulnerability in Wordpress
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.
network
low complexity
wordpress CWE-79
6.1
2016-05-22 CVE-2015-8834 Cross-site Scripting vulnerability in Wordpress
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.
network
low complexity
wordpress CWE-79
6.1