Vulnerabilities > Wordpress > Wordpress > 4.0.19
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-09-13 | CVE-2020-25286 | Unspecified vulnerability in Wordpress In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. | 5.0 |
2020-06-12 | CVE-2020-4050 | Authentication Bypass Using an Alternate Path or Channel vulnerability in multiple products In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. | 3.1 |
2020-06-12 | CVE-2020-4049 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in multiple products In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. | 2.4 |
2020-06-12 | CVE-2020-4048 | Open Redirect vulnerability in multiple products In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. | 5.7 |
2020-06-12 | CVE-2020-4047 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in multiple products In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. | 6.8 |
2020-06-12 | CVE-2020-4046 | Cross-site Scripting vulnerability in multiple products In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. | 5.4 |
2020-04-30 | CVE-2020-11030 | Cross-site Scripting vulnerability in multiple products In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. | 3.5 |
2020-04-30 | CVE-2020-11029 | Cross-site Scripting vulnerability in multiple products In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. | 6.1 |
2020-04-30 | CVE-2020-11028 | Missing Authentication for Critical Function vulnerability in multiple products In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. | 4.3 |
2020-04-30 | CVE-2020-11027 | Operation on a Resource after Expiration or Release vulnerability in multiple products In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. | 8.1 |