| 2020-09-13 | CVE-2020-25286 | Unspecified vulnerability in Wordpress
In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. | 5.3 |
| 2020-06-12 | CVE-2020-4050 | In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. | 3.1 |
| 2020-06-12 | CVE-2020-4049 | In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. | 2.4 |
| 2020-06-12 | CVE-2020-4048 | In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. | 5.7 |
| 2020-06-12 | CVE-2020-4047 | In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. | 6.8 |
| 2020-06-12 | CVE-2020-4046 | Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. | 5.4 |
| 2020-04-30 | CVE-2020-11030 | Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. | 5.4 |
| 2020-04-30 | CVE-2020-11029 | Cross-site Scripting vulnerability in multiple products
In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. | 6.1 |
| 2020-04-30 | CVE-2020-11028 | Missing Authentication for Critical Function vulnerability in multiple products
In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. | 7.5 |
| 2020-04-30 | CVE-2020-11027 | In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. | 8.1 |