Vulnerabilities > Wordpress > Wordpress > 4.7.4
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-12-14 | CVE-2018-20150 | Cross-site Scripting vulnerability in Wordpress In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. | 4.3 |
| 2018-12-14 | CVE-2018-20149 | Cross-site Scripting vulnerability in Wordpress In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. | 3.5 |
| 2018-12-14 | CVE-2018-20148 | Deserialization of Untrusted Data vulnerability in Wordpress In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. | 7.5 |
| 2018-12-14 | CVE-2018-20147 | Incorrect Authorization vulnerability in multiple products In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. | 5.5 |
| 2018-11-16 | CVE-2018-19296 | PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. | 8.8 |
| 2018-09-06 | CVE-2018-1000773 | Improper Input Validation vulnerability in Wordpress WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. | 6.5 |
| 2018-09-06 | CVE-2017-1000600 | Improper Input Validation vulnerability in Wordpress WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. | 6.5 |
| 2018-06-26 | CVE-2018-12895 | Path Traversal vulnerability in multiple products WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. | 6.5 |
| 2018-04-16 | CVE-2018-10102 | Cross-site Scripting vulnerability in Wordpress Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | 4.3 |
| 2018-04-16 | CVE-2018-10101 | Open Redirect vulnerability in Wordpress Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. | 5.8 |