WordpressCVEs & Vulnerabilities

625 CVEs affecting Wordpress products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

wordpress 4,389wordpress mu 73wordspew 39wassup plugin 10page flip image gallery plugin 8wp maintenance mode plugin 8sniplets plugin 6wordpress-users 6
CVE-2020-4046MEDIUM

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

12 Jun 2020
5.4
CVSS
CVE-2020-11030MEDIUM

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

1 May 2020
5.4
CVSS
CVE-2020-11029MEDIUM

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

1 May 2020
6.1
CVSS
CVE-2020-11028HIGH

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

1 May 2020
7.5
CVSS
CVE-2020-11027HIGHpoc

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

1 May 2020
8.1
CVSS
CVE-2020-11026MEDIUM

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

1 May 2020
5.4
CVSS
CVE-2020-11025MEDIUM

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

1 May 2020
5.4
CVSS
CVE-2019-20043MEDIUM

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

27 Dec 2019
4.3
CVSS
CVE-2019-20042MEDIUM

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

27 Dec 2019
6.1
CVSS
CVE-2019-20041CRITICAL

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.

27 Dec 2019
9.8
CVSS
CVE-2019-16781MEDIUM

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

26 Dec 2019
5.4
CVSS
CVE-2019-16780MEDIUM

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

26 Dec 2019
5.4
CVSS
CVE-2019-17675HIGH

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

17 Oct 2019
8.8
CVSS
CVE-2019-17674MEDIUM

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.

17 Oct 2019
5.4
CVSS
CVE-2019-17673HIGH

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.

17 Oct 2019
7.5
CVSS
CVE-2019-17672MEDIUM

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

17 Oct 2019
6.1
CVSS
CVE-2019-17671MEDIUMpoc

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

17 Oct 2019
5.3
CVSS
CVE-2019-17670CRITICAL

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

17 Oct 2019
9.8
CVSS
CVE-2019-17669CRITICAL

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

17 Oct 2019
9.8
CVSS
CVE-2019-16223MEDIUMpoc

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

11 Sep 2019
5.4
CVSS
CVE-2019-16222MEDIUM

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

11 Sep 2019
6.1
CVSS
CVE-2019-16221MEDIUM

WordPress before 5.2.3 allows reflected XSS in the dashboard.

11 Sep 2019
6.1
CVSS
CVE-2019-16220MEDIUM

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.

11 Sep 2019
6.1
CVSS
CVE-2019-16219MEDIUM

WordPress before 5.2.3 allows XSS in shortcode previews.

11 Sep 2019
6.1
CVSS
CVE-2019-16218MEDIUM

WordPress before 5.2.3 allows XSS in stored comments.

11 Sep 2019
6.1
CVSS
CVE-2019-16217MEDIUM

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

11 Sep 2019
6.1
CVSS
CVE-2017-6514MEDIUM

WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.

22 May 2019
5.3
CVSS
CVE-2019-9787HIGH

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

14 Mar 2019
8.8
CVSS
CVE-2019-8943MEDIUMpoc

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

20 Feb 2019
6.5
CVSS
CVE-2019-8942HIGHpoc

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

20 Feb 2019
8.8
CVSS
CVE-2018-20153MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.

14 Dec 2018
5.4
CVSS
CVE-2018-20152MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.

14 Dec 2018
6.5
CVSS
CVE-2018-20151HIGH

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

14 Dec 2018
7.5
CVSS
CVE-2018-20150MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.

14 Dec 2018
6.1
CVSS
CVE-2018-20149MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

14 Dec 2018
5.4
CVSS
CVE-2018-20148CRITICAL

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

14 Dec 2018
9.8
CVSS
CVE-2018-20147MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.

14 Dec 2018
6.5
CVSS
CVE-2018-19296HIGH

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

16 Nov 2018
8.8
CVSS
CVE-2018-1000773HIGH

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

6 Sep 2018
8.8
CVSS
CVE-2017-1000600HIGH

WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9

6 Sep 2018
8.8
CVSS
CVE-2018-14028HIGH

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

10 Aug 2018
7.2
CVSS
CVE-2018-12895HIGH

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

26 Jun 2018
8.8
CVSS
CVE-2018-10102MEDIUM

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

16 Apr 2018
6.1
CVSS
CVE-2018-10101MEDIUM

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

16 Apr 2018
6.1
CVSS
CVE-2018-10100MEDIUM

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

16 Apr 2018
6.1
CVSS
CVE-2014-6412HIGH

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

13 Apr 2018
8.1
CVSS
CVE-2018-6389HIGHpoc

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

6 Feb 2018
7.5
CVSS
CVE-2018-5776MEDIUM

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

19 Jan 2018
6.1
CVSS
← PrevPage 2 / 14Next →