Vulnerabilities > Wordpress > Wordpress > 4.2.8

DATE CVE VULNERABILITY TITLE RISK
2018-12-14 CVE-2018-20147 Incorrect Authorization vulnerability in multiple products
In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
network
low complexity
wordpress debian CWE-863
5.5
2018-11-16 CVE-2018-19296 PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. 8.8
2018-09-06 CVE-2018-1000773 Improper Input Validation vulnerability in Wordpress
WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600.
network
low complexity
wordpress CWE-20
6.5
2018-09-06 CVE-2017-1000600 Improper Input Validation vulnerability in Wordpress
WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution.
network
low complexity
wordpress CWE-20
6.5
2018-06-26 CVE-2018-12895 Path Traversal vulnerability in multiple products
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file.
network
low complexity
wordpress debian CWE-22
6.5
2018-04-16 CVE-2018-10102 Cross-site Scripting vulnerability in Wordpress
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
4.3
2018-04-16 CVE-2018-10101 Open Redirect vulnerability in Wordpress
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
5.8
2018-04-16 CVE-2018-10100 Open Redirect vulnerability in Wordpress
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
5.8
2018-04-12 CVE-2014-6412 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Wordpress
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
network
low complexity
wordpress CWE-640
5.0
2018-02-06 CVE-2018-6389 Resource Exhaustion vulnerability in Wordpress
In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.
network
low complexity
wordpress CWE-400
5.0