Releases79
Frequency1 month 2 weeks
Last Release
Stars181
WordPress Plugin for Auth0 Authentication

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
6.8 MEDIUM

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if they use Auth0-PHP SDK versions between v8.0.0 and v8.17.0, or applications using the following SDKs that rely on the Auth0-PHP SDK versions between v8.0.0 and v8.17.0: Auth0/symfony versions between 5.0.0 and 5.5.0, Auth0/laravel-auth0 versions between 7.0.0 and 7.19.0, and/or Auth0/wordpress plugin versions between 5.0.0-BETA0 and 5.4.0. Auth0/Auth0-PHP version 8.18.0 contains a patch for the issue.

3.3 LOW

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. The vulnerability affects any application that either directly uses the Auth0-PHP SDK (versions 3.3.0–8.16.0) or indirectly relies on those versions through the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs. This issue is fixed in version 8.17.0.

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.

9.1 CRITICAL

Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.

<= 6.0.24.9 MEDIUM

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

>= 6.0, <= 6.0.7, >= 6.1, <= 6.1.5, >= 6.2, <= 6.2.4, >= 6.3, <= 6.3.3, >= 6.4.0, <= 6.4.3, >= 6.5, <= 6.5.17.2 HIGH

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.

>= 6.4.0, < 6.4.25.5 MEDIUM

WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.

< 4.1.40, >= 4.2, < 4.2.37, >= 4.3, < 4.3.33, >= 4.4, < 4.4.32, >= 4.5, < 4.5.31, >= 4.6, < 4.6.28, >= 4.7, < 4.7.28, >= 4.8, < 4.8.24, >= 4.9, < 4.9.25, >= 5.0, < 5.0.21, >= 5.1, < 5.1.18, >= 5.2, < 5.2.20, >= 5.3, < 5.3.17, >= 5.4, < 5.4.15, >= 5.5, < 5.5.14, >= 5.6, < 5.6.13, >= 5.7, < 5.7.11, >= 5.8, < 5.8.9, >= 5.9, < 5.9.9, >= 6.0, < 6.0.7, >= 6.1, < 6.1.5, >= 6.2, < 6.2.4, >= 6.3, < 6.3.3, >= 6.4.0, < 6.4.37.6 HIGH

WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable.

>= 6.3, < 6.3.2, >= 6.2, < 6.2.3, >= 6.1, < 6.1.4, >= 6.0, < 6.0.6, >= 5.9, < 5.9.8, >= 5.8, < 5.8.8, >= 5.7, < 5.7.10, >= 5.6, < 5.6.12, >= 5.5, < 5.5.13, >= 5.4, < 5.4.14, >= 5.3, < 5.3.16, >= 5.2, < 5.2.19, >= 5.1, < 5.1.17, >= 5.0, < 5.0.20, >= 4.9, < 4.9.24, >= 4.8, < 4.8.23, >= 4.7, < 4.7.275.3 MEDIUM

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

>= 6.2, <= 6.2.2, >= 6.1, <= 6.1.3, >= 6.0, <= 6.0.5, >= 5.9, <= 5.9.7, >= 6.3, < 6.3.2, >= 5.8, <= 5.8.7, >= 5.7, <= 5.7.9, >= 5.6, <= 5.6.11, >= 5.5, <= 5.5.12, >= 5.4, <= 5.4.13, >= 5.3, <= 5.3.15, >= 5.2, <= 5.2.18, >= 5.1, <= 5.1.16, >= 5.0, <= 5.0.19, >= 4.9, <= 4.9.23, >= 4.8, <= 4.8.22, >= 4.7, <= 4.7.26, >= 4.6, <= 4.6.26, >= 4.5, <= 4.5.29, >= 4.4, <= 4.4.30, >= 4.3, <= 4.3.31, >= 4.2, <= 4.2.35, >= 4.1, <= 4.1.384.3 MEDIUM

Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.

>= 6.3, <= 6.3.1, >= 6.2, <= 6.2.2, >= 6.1, <= 6.1.3, >= 6.0, <= 6.0.5, >= 5.9, <= 5.9.76.5 MEDIUM

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.

= 6.2, >= 6.1, < 6.1.2, >= 6.0, < 6.0.4, >= 5.9, < 5.9.6, >= 5.8, < 5.8.7, >= 5.6, < 5.6.11, >= 5.5, < 5.5.12, >= 5.4, < 5.4.13, >= 5.3, < 5.3.15, >= 5.2, < 5.2.18, >= 5.1, < 5.1.16, >= 5.0, < 5.0.19, >= 4.9, < 4.9.23, >= 4.8, < 4.8.22, >= 4.7, < 4.7.26, >= 4.6, < 4.6.26, >= 4.5, < 4.5.29, >= 4.4, < 4.4.30, >= 4.3, < 4.3.31, >= 4.2, < 4.2.35, >= 5.7, < 5.7.9, < 4.1.385.4 MEDIUM

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

<= 6.1.15.3 MEDIUM

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.

>= 4.2, <= 6.1.1, = 4.15.9 MEDIUM

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

= *, >= 6.0, < 6.0.3, >= 5.9, < 5.9.5, >= 5.8, < 5.8.6, >= 5.7, < 5.7.8, >= 5.6, < 5.6.10, >= 5.5, < 5.5.11, >= 5.4, < 5.4.12, >= 5.3, < 5.3.14, >= 5.2, < 5.2.17, >= 5.1, < 5.1.15, >= 5.0, < 5.0.18, >= 4.9, < 4.9.22, >= 4.8, < 4.8.21, >= 4.7, < 4.7.25, >= 4.6, < 4.6.25, >= 4.5, < 4.5.28, >= 4.4, < 4.4.29, >= 4.3, < 4.3.30, >= 4.2, < 4.2.34, >= 4.1, < 4.1.37, >= 4.0, < 4.0.37, >= 3.9, < 3.9.39, >= 3.8, < 3.8.40, < 3.7.406.1 MEDIUM

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.

= *, >= 6.0, < 6.0.3, >= 5.9, < 5.9.5, >= 5.8, < 5.8.6, >= 5.7, < 5.7.8, >= 5.6, < 5.6.10, >= 5.5, < 5.5.11, >= 5.4, < 5.4.12, >= 5.3, < 5.3.14, >= 5.2, < 5.2.17, >= 5.1, < 5.1.15, >= 5.0, < 5.0.18, >= 4.9, < 4.9.22, >= 4.8, < 4.8.21, >= 4.7, < 4.7.25, >= 4.6, < 4.6.25, >= 4.5, < 4.5.28, >= 4.4, < 4.4.29, >= 4.3, < 4.3.30, >= 4.2, < 4.2.34, >= 4.1, < 4.1.37, >= 4.0, < 4.0.37, >= 3.9, < 3.9.39, >= 3.8, < 3.8.40, < 3.7.405.3 MEDIUM

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.

= *, >= 6.0, < 6.0.3, >= 5.9, < 5.9.5, >= 5.8, < 5.8.6, >= 5.7, < 5.7.8, >= 5.6, < 5.6.10, >= 5.5, < 5.5.11, >= 5.4, < 5.4.12, >= 5.3, < 5.3.14, >= 5.2, < 5.2.17, >= 5.1, < 5.1.15, >= 5.0, < 5.0.18, >= 4.9, < 4.9.22, >= 4.8, < 4.8.21, >= 4.7, < 4.7.25, >= 4.6, < 4.6.25, >= 4.5, < 4.5.28, >= 4.4, < 4.4.29, >= 4.3, < 4.3.30, >= 4.2, < 4.2.34, >= 4.1, < 4.1.37, >= 4.0, < 4.0.37, >= 3.9, < 3.9.39, >= 3.8, < 3.8.40, < 3.7.406.1 MEDIUM

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.

= 5.1

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

>= 3.1, < 3.1.2, < 3.0.66.5 MEDIUM4 MEDIUM

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.

< 5.8.37.4 HIGH6.5 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

< 5.8.36.6 MEDIUM6.5 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

< 5.8.38 HIGH3.5 LOW

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

= *, >= 3.7, < 3.7.37, >= 3.8, < 3.8.37, >= 3.9, < 3.9.35, >= 4.0, < 4.0.34, >= 4.1, < 4.1.34, >= 4.2, < 4.2.31, >= 4.3, < 4.3.27, >= 4.4, < 4.4.26, >= 4.5, < 4.5.25, >= 4.6, < 4.6.22, >= 4.7, < 4.7.22, >= 4.8, < 4.8.18, >= 4.9, < 4.9.19, >= 5.0, < 5.0.15, >= 5.1, < 5.1.12, >= 5.2, < 5.2.14, >= 5.3, < 5.3.11, >= 5.4, < 5.4.9, >= 5.5, < 5.5.8, >= 5.6, < 5.6.7, >= 5.7, < 5.7.5, >= 5.8, < 5.8.38 HIGH5 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

< 5.88.1 HIGH7.5 HIGH

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

= 5.86.8 MEDIUM6 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.

>= 5.0, < 5.87.6 HIGH3.5 LOW

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)

>= 5.2, < 5.8.15.3 MEDIUM4.3 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

= 5.87.6 HIGH3.5 LOW

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

>= 5.7, < 5.7.2, >= 5.6, < 5.6.4, >= 5.5, < 5.5.5, >= 5.4, < 5.4.6, >= 4.6, < 4.6.21, >= 4.7, < 4.7.21, >= 4.8, < 4.8.17, >= 4.9, < 4.9.18, >= 5.0, < 5.0.13, >= 3.7, < 3.7.36, >= 3.8, < 3.8.36, >= 3.9, < 3.9.34, >= 4.0, < 4.0.33, >= 4.1, < 4.1.33, >= 4.2, < 4.2.30, >= 4.3, < 4.3.26, >= 4.4, < 4.4.25, >= 4.5, < 4.5.24, >= 5.1, < 5.1.10, >= 5.2, < 5.2.11, >= 5.3, < 5.3.89.8 CRITICAL7.5 HIGH

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

>= 4.7, < 5.7.16.5 MEDIUM4 MEDIUM

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

>= 5.6.0, < 5.7.17.1 HIGH4 MEDIUM

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

< 5.5.26.1 MEDIUM4.3 MEDIUM

WordPress before 5.5.2 allows stored XSS via post slugs.

< 5.5.29.1 CRITICAL6.4 MEDIUM

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

< 5.5.24.3 MEDIUM4.3 MEDIUM

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

< 5.5.29.8 CRITICAL7.5 HIGH

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

< 5.5.29.8 CRITICAL7.5 HIGH

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

< 5.5.27.5 HIGH5 MEDIUM

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

< 5.5.26.1 MEDIUM4.3 MEDIUM

WordPress before 5.5.2 allows XSS associated with global variables.

< 5.5.29.8 CRITICAL7.5 HIGH

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).

< 5.5.29.8 CRITICAL7.5 HIGH

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

<= 5.5.18.8 HIGH9 HIGH

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.

< 5.4.25.3 MEDIUM5 MEDIUM

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.22.4 LOW3.5 LOW

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.23.5 LOW6 MEDIUM

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.25.7 MEDIUM4.9 MEDIUM

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.25.4 MEDIUM3.5 LOW

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.26.8 MEDIUM3.5 LOW

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

< 5.4.15.8 MEDIUM4.3 MEDIUM

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

< 5.4.16.4 MEDIUM3.5 LOW

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

= *, = 5.4, >= 5.3, < 5.3.3, >= 5.2, < 5.2.6, >= 5.1, < 5.1.5, >= 5.0, < 5.0.9, >= 4.9, < 4.9.14, >= 4.8, < 4.8.13, >= 4.7, < 4.7.17, >= 4.6, < 4.6.18, >= 4.5, < 4.5.21, >= 4.4, < 4.4.22, >= 4.3, < 4.3.23, >= 4.2, < 4.2.27, >= 4.1, < 4.1.30, >= 4.0, < 4.0.30, >= 3.9, < 3.9.31, >= 3.8, < 3.8.33, >= 3.7, < 3.7.335.8 MEDIUM4.3 MEDIUM

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

= *, = 5.4, >= 5.3, < 5.3.3, >= 5.2, < 5.2.6, >= 5.1, < 5.1.5, >= 5.0, < 5.0.9, >= 4.9, < 4.9.14, >= 4.8, < 4.8.13, >= 4.7, < 4.7.17, >= 4.6, < 4.6.18, >= 4.5, < 4.5.21, >= 4.4, < 4.4.22, >= 4.3, < 4.3.23, >= 4.2, < 4.2.27, >= 4.1, < 4.1.30, >= 4.0, < 4.0.30, >= 3.9, < 3.9.31, >= 3.8, < 3.8.33, >= 3.7, < 3.7.336.1 MEDIUM5.5 MEDIUM

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

= *, = 5.4, >= 5.3, < 5.3.3, >= 5.2, < 5.2.6, >= 5.1, < 5.1.5, >= 5.0, < 5.0.9, >= 4.9, < 4.9.14, >= 4.8, < 4.8.13, >= 4.7, < 4.7.17, >= 4.6, < 4.6.18, >= 4.5, < 4.5.21, >= 4.4, < 4.4.22, >= 4.3, < 4.3.23, >= 4.2, < 4.2.27, >= 4.1, < 4.1.30, >= 4.0, < 4.0.30, >= 3.9, < 3.9.31, >= 3.8, < 3.8.33, >= 3.7, < 3.7.338.7 HIGH3.5 LOW

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

>= 4.7, < 5.4.15.8 MEDIUM3.5 LOW

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

6.1 MEDIUM4.3 MEDIUM

The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XSS via a wle parameter associated with wp-login.php.

= *, >= 3.7, < 5.3.16.1 MEDIUM4.3 MEDIUM

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

< 5.3.19.8 CRITICAL7.5 HIGH

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

= *, >= 3.7, < 5.3.14.3 MEDIUM5 MEDIUM

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

< 5.3.15.8 MEDIUM3.5 LOW

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

= 3.7, > 3.7, < 5.3.15.8 MEDIUM3.5 LOW

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

< 5.2.48.8 HIGH6.8 MEDIUM

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

< 5.2.45.4 MEDIUM3.5 LOW

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.

< 5.2.47.5 HIGH5 MEDIUM

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.

< 5.2.46.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

< 5.2.45.3 MEDIUM5 MEDIUM

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

< 5.2.49.8 CRITICAL7.5 HIGH

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

< 5.2.49.8 CRITICAL7.5 HIGH

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

< 5.2.35.4 MEDIUM3.5 LOW

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 allows reflected XSS in the dashboard.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

< 5.2.36.1 MEDIUM5.8 MEDIUM

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 allows XSS in shortcode previews.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 allows XSS in stored comments.

= 4.7.25 MEDIUM

WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.

< 5.1.16.8 MEDIUM

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

<= 5.0.36.5 MEDIUM4 MEDIUM

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

< 4.9.9, = 5.06.5 MEDIUM

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

>= 5.0, < 5.0.1, < 4.9.93.5 LOW

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.

>= 5.0, < 5.0.1, < 4.9.94 MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.

>= 5.0, < 5.0.1, < 4.9.95 MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

>= 5.0, < 5.0.1, < 4.9.94.3 MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.

>= 5.0, < 5.0.1, < 4.9.93.5 LOW

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

>= 5.0, < 5.0.1, < 4.9.97.5 HIGH

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

>= 5.0, < 5.0.1, < 4.9.95.5 MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.

>= 3.7, <= 5.78.8 HIGH6.8 MEDIUM

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

<= 4.9.86.5 MEDIUM

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

< 4.96.5 MEDIUM

WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9

= 4.9.76.5 MEDIUM

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

< 4.9.78.8 HIGH6.5 MEDIUM

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

< 4.9.55.8 MEDIUM

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

< 4.9.54.3 MEDIUM

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

< 4.9.55.8 MEDIUM

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

< 4.4.05 MEDIUM

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

<= 4.9.25 MEDIUM

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

< 4.9.24.3 MEDIUM

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

<= 4.96.5 MEDIUM

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

< 4.9.13.5 LOW

wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.

< 4.9.13.5 LOW

wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.

< 4.9.13.5 LOW

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

<= 4.8.27.5 HIGH

WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.

<= 4.8.25 MEDIUM

WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.

<= 4.8.22.6 LOW

WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

= 4.8.24 MEDIUM

WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.

<= 4.8.17.5 HIGH

Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.

<= 4.8.14.9 MEDIUM

Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.

= 3.0.5, = 4.0.1, = 3.6.1, = 4.1.1, = 3.7, = 3.9.3, = 3.0.2, = 3.2.1, = 3.1.4, = 4.7.1, = 3.8.3, = 4.0, = 3.9.2, = 4.5.3, = 3.8.2, = 3.2, = 3.0.4, = 3.7.4, = 3.7.1, = 3.3.3, = 3.1.3, = 3.1.2, = 3.0.1, = 3.0, = 3.6, = 3.3.2, = 3.1, = 4.7.2, = 4.6.6, = 4.6.5, = 4.6.4, = 4.5.7, = 4.5.6, = 3.9.1, = 3.8.4, = 3.8.1, = 3.8, = 4.7, = 4.8.1, = 4.6.7, = 4.5.9, = 4.5.8, = 4.7.5, = 4.8, = 4.6.1, = 4.6, = 3.4.2, = 3.4.1, = 3.0.3, = 3.3.1, = 3.1.1, = 4.7.3, = 4.7.4, = 4.6.3, = 4.6.2, = 4.5.5, = 4.5.4, = 4.4.1, = 4.1, = 3.9, = 3.5.1, = 3.3, = 3.0.6, = 4.5, = 4.4.9, = 4.4.11, = 4.4.10, = 4.3.5, = 4.3.4, = 4.3, = 4.2.9, = 4.2.16, = 4.2.15, = 4.2, = 4.1.9, = 4.1.2, = 4.1.19, = 4.1.11, = 4.1.10, = 4.0.5, = 4.0.4, = 4.5.10, = 4.5.1, = 4.4.4, = 4.4.3, = 4.4.2, = 4.3.7, = 4.3.6, = 4.3.10, = 4.3.1, = 4.2.4, = 4.2.3, = 4.2.2, = 4.2.10, = 4.2.1, = 4.1.4, = 4.1.3, = 4.1.13, = 4.1.12, = 4.0.7, = 4.0.6, = 4.5.2, = 4.4.6, = 4.4.5, = 4.3.9, = 4.3.8, = 4.3.12, = 4.3.11, = 4.2.6, = 4.2.5, = 4.2.12, = 4.2.11, = 4.1.6, = 4.1.5, = 4.1.16, = 4.1.15, = 4.1.14, = 4.0.9, = 4.0.8, = 4.0.19, = 4.4.8, = 4.4.7, = 4.4, = 4.3.3, = 4.3.2, = 4.2.8, = 4.2.7, = 4.2.14, = 4.2.13, = 4.1.8, = 4.1.7, = 4.1.18, = 4.1.17, = 4.0.3, = 4.0.2, = 4.0.15, = 4.0.14, = 3.9.8, = 3.9.7, = 3.9.19, = 3.9.18, = 3.9.11, = 3.9.10, = 3.8.17, = 3.8.16, = 4.0.17, = 4.0.16, = 3.9.9, = 3.9.20, = 3.9.13, = 3.9.12, = 3.8.6, = 3.8.5, = 3.8.19, = 4.0.18, = 4.0.10, = 3.9.4, = 3.9.15, = 3.9.14, = 3.8.8, = 3.8.7, = 3.8.20, = 3.8.13, = 3.8.12, = 3.7.6, = 3.7.5, = 3.7.19, = 3.7.18, = 3.7.11, = 3.7.10, = 3.8.18, = 3.8.11, = 3.8.10, = 3.7.3, = 3.7.17, = 3.7.16, = 3.4, = 3.7.9, = 3.7.22, = 3.7.21, = 3.7.15, = 3.7.14, = 3.5.2, = 4.0.13, = 4.0.12, = 4.0.11, = 3.9.6, = 3.9.5, = 3.9.17, = 3.9.16, = 3.8.9, = 3.8.22, = 3.8.21, = 3.8.15, = 3.8.14, = 3.7.8, = 3.7.7, = 3.7.20, = 3.7.2, = 3.7.13, = 3.7.12, = 3.55 MEDIUM

Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

= 4.7.1, = 4.7, = 4.7.2, = 4.7.3, = 4.7.4, = 4.7.5, = 4.8, = 4.8.15 MEDIUM

Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.

<= 4.7.46.8 MEDIUM

In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.

<= 4.7.45 MEDIUM

In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.

<= 4.7.45 MEDIUM

In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.

<= 4.7.45 MEDIUM

In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.

<= 4.7.44.3 MEDIUM

In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.

<= 4.7.44.3 MEDIUM

In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.

<= 4.7.44.3 MEDIUM

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

= 4.7.1, = 4.7, = 4.7.25 MEDIUM

The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.

<= 4.7.23.5 LOW

In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.

<= 4.7.25.5 MEDIUM

In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.

<= 4.7.24.3 MEDIUM

In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.

<= 4.7.24.3 MEDIUM

In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.

<= 4.7.23.5 LOW

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.

<= 4.7.25.8 MEDIUM

In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.

<= 4.7.19.8 CRITICAL7.5 HIGH

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.

<= 4.7.15 MEDIUM

wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.

<= 4.7.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.

<= 4.5.54.3 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.

= 4.5.35.5 MEDIUM

Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

<= 4.5.54 MEDIUM

The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.

<= 4.76.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.

<= 4.75 MEDIUM

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

<= 4.75 MEDIUM

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

<= 4.75 MEDIUM

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

<= 4.74.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.

<= 4.76.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.

<= 4.74.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

<= 4.63.5 LOW

Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.

<= 4.66.5 MEDIUM

Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.

<= 4.79.8 CRITICAL7.5 HIGH

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

<= 4.79.8 CRITICAL7.5 HIGH

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

<= 4.4.26.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option.

<= 4.4.44.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

= *, < 4.58.6 HIGH5 MEDIUM

WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.

<= 4.5.25 MEDIUM

WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.

<= 4.5.25 MEDIUM

WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.

<= 4.5.25 MEDIUM

WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.

<= 4.5.25 MEDIUM

The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.

<= 4.5.25 MEDIUM

WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.

<= 4.5.24.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.

<= 4.5.24.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.

<= 4.5.25 MEDIUM

The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.

<= 4.5.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."

<= 4.5.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.

= 4.4.15 MEDIUM

The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php.

<= 4.4.15.8 MEDIUM

Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL.

<= 4.4.04.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.

<= 4.2.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440.

<= 4.3.03.5 LOW

Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714.

<= 4.3.04 MEDIUM

The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors.

<= 4.3.04.3 MEDIUM

Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags.

<= 4.2.34.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string.

<= 4.2.34.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title.

<= 4.2.34.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title.

<= 4.2.36.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.

<= 4.2.35 MEDIUM

The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.

<= 4.2.37.5 HIGH

SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash.

= 4.0.1, = 4.1.1, = 3.9.3, = 3.9.2, = 3.9.0, = 4.0, = 4.1, = 3.9.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

<= 4.1.14.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.

<= 4.2.24 MEDIUM

WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.

<= 4.2.23.5 LOW

Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php.

<= 4.24.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.

<= 4.2.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier.