Latest Wordpress Wordpress 4 2 8 Security Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2018-09-06 CVE-2018-1000773 Improper Input Validation vulnerability in Wordpress
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600.
network
low complexity
wordpress
CWE-20
6.5
2018-09-06 CVE-2017-1000600 Improper Input Validation vulnerability in Wordpress
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution.
network
low complexity
wordpress
CWE-20
6.5
2018-06-26 CVE-2018-12895 Path Traversal vulnerability in Wordpress
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file.
network
low complexity
wordpress
debian
CWE-22
6.5
2018-04-16 CVE-2018-10102 Cross-Site Scripting vulnerability in Wordpress
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
4.3
2018-04-16 CVE-2018-10101 Open Redirect vulnerability in Wordpress
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
5.8
2018-04-16 CVE-2018-10100 Open Redirect vulnerability in Wordpress
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
5.8
2018-04-12 CVE-2014-6412 Weak Password Recovery Mechanism FOR Forgotten Password vulnerability in Wordpress
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
network
low complexity
wordpress
CWE-640
5.0
2018-02-06 CVE-2018-6389 Resource Exhaustion vulnerability in Wordpress
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
network
low complexity
wordpress
CWE-400
5.0
2018-01-18 CVE-2018-5776 Cross-Site Scripting vulnerability in Wordpress
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
4.3
2017-12-02 CVE-2017-17094 Cross-Site Scripting vulnerability in Wordpress
wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.
3.5