Vulnerabilities > Wordpress > Wordpress > 4.7.4
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-09-11 | CVE-2019-16220 | Open Redirect vulnerability in multiple products In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. | 6.1 |
| 2019-09-11 | CVE-2019-16219 | Cross-site Scripting vulnerability in multiple products WordPress before 5.2.3 allows XSS in shortcode previews. | 6.1 |
| 2019-09-11 | CVE-2019-16218 | Cross-site Scripting vulnerability in multiple products WordPress before 5.2.3 allows XSS in stored comments. | 6.1 |
| 2019-09-11 | CVE-2019-16217 | Cross-site Scripting vulnerability in multiple products WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. | 6.1 |
| 2019-03-14 | CVE-2019-9787 | Cross-Site Request Forgery (CSRF) vulnerability in Wordpress WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. | 6.8 |
| 2019-02-20 | CVE-2019-8943 | Path Traversal vulnerability in Wordpress WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). | 4.0 |
| 2019-02-20 | CVE-2019-8942 | Code Injection vulnerability in multiple products WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. | 6.5 |
| 2018-12-14 | CVE-2018-20153 | Cross-site Scripting vulnerability in Wordpress In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. | 3.5 |
| 2018-12-14 | CVE-2018-20152 | Improper Input Validation vulnerability in Wordpress In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. | 4.0 |
| 2018-12-14 | CVE-2018-20151 | Information Exposure vulnerability in Wordpress In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. | 5.0 |