Latest Wordpress Wordpress 4 2 8 Security Vulnerabilities
|2018-09-06||CVE-2017-1000600|| Improper Input Validation vulnerability in Wordpress |
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution.
|2018-06-26||CVE-2018-12895|| Path Traversal vulnerability in Wordpress |
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file.
|2018-04-16||CVE-2018-10102|| Cross-Site Scripting vulnerability in Wordpress |
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
|2018-04-16||CVE-2018-10101|| Open Redirect vulnerability in Wordpress |
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
|2018-04-16||CVE-2018-10100|| Open Redirect vulnerability in Wordpress |
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
|2018-04-12||CVE-2014-6412|| Weak Password Recovery Mechanism FOR Forgotten Password vulnerability in Wordpress |
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
|2018-02-06||CVE-2018-6389|| Resource Exhaustion vulnerability in Wordpress |
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
|2018-01-18||CVE-2018-5776|| Cross-Site Scripting vulnerability in Wordpress |
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
|2017-12-02||CVE-2017-17094|| Cross-Site Scripting vulnerability in Wordpress |
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
|2017-12-02||CVE-2017-17093|| Cross-Site Scripting vulnerability in Wordpress |
wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.