Vulnerabilities > Wordpress > Wordpress > 5.0

DATE CVE VULNERABILITY TITLE RISK
2019-09-11 CVE-2019-16222 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16221 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows reflected XSS in the dashboard.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16220 Open Redirect vulnerability in multiple products
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
network
low complexity
wordpress debian CWE-601
6.1
6.1
2019-09-11 CVE-2019-16219 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in shortcode previews.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16218 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in stored comments.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-09-11 CVE-2019-16217 Cross-site Scripting vulnerability in multiple products
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
network
low complexity
wordpress debian CWE-79
6.1
6.1
2019-03-14 CVE-2019-9787 Cross-Site Request Forgery (CSRF) vulnerability in Wordpress
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration.
network
wordpress CWE-352
6.8
6.8
2019-02-20 CVE-2019-8943 Path Traversal vulnerability in Wordpress
WordPress through 5.0.3 allows Path Traversal in wp_crop_image().
network
low complexity
wordpress CWE-22
4.0
4.0
2019-02-20 CVE-2019-8942 Code Injection vulnerability in multiple products
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring.
network
low complexity
wordpress debian CWE-94
6.5
6.5
2018-12-14 CVE-2018-20153 Cross-site Scripting vulnerability in Wordpress
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. 		3.5
3.5