4.3.29

DATE	CVE	VULNERABILITY TITLE	RISK
2020-11-02	CVE-2020-28037	Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation). network low complexity wordpress fedoraproject debian CWE-754 critical	9.8
2020-11-02	CVE-2020-28036	Missing Authorization vulnerability in multiple products wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post. network low complexity wordpress fedoraproject debian CWE-862 critical	9.8
2020-11-02	CVE-2020-28035	WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC. network low complexity wordpress fedoraproject debian critical	9.8
2020-11-02	CVE-2020-28034	Cross-site Scripting vulnerability in multiple products WordPress before 5.5.2 allows XSS associated with global variables. network low complexity wordpress fedoraproject debian CWE-79	6.1
2020-11-02	CVE-2020-28033	WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. network low complexity wordpress fedoraproject debian	7.5
2020-11-02	CVE-2020-28032	Deserialization of Untrusted Data vulnerability in multiple products WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. network low complexity wordpress fedoraproject debian CWE-502 critical	9.8
2018-11-16	CVE-2018-19296	PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. network low complexity phpmailer-project debian fedoraproject wordpress	8.8
2016-12-30	CVE-2016-10033	Argument Injection or Modification vulnerability in multiple products The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. network low complexity phpmailer-project wordpress joomla CWE-88 critical	9.8
2016-08-07	CVE-2016-4029	Server-Side Request Forgery (SSRF) vulnerability in multiple products WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. network low complexity wordpress debian CWE-918	8.6