Releases22
Frequency6 months 1 week
Last Release
A client for working with WordPress.

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
<= 6.0.24.9 MEDIUM

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.

>= 6.0, <= 6.0.7, >= 6.1, <= 6.1.5, >= 6.2, <= 6.2.4, >= 6.3, <= 6.3.3, >= 6.4.0, <= 6.4.3, >= 6.5, <= 6.5.17.2 HIGH

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.

>= 6.4.0, < 6.4.25.5 MEDIUM

WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.

< 4.1.40, >= 4.2, < 4.2.37, >= 4.3, < 4.3.33, >= 4.4, < 4.4.32, >= 4.5, < 4.5.31, >= 4.6, < 4.6.28, >= 4.7, < 4.7.28, >= 4.8, < 4.8.24, >= 4.9, < 4.9.25, >= 5.0, < 5.0.21, >= 5.1, < 5.1.18, >= 5.2, < 5.2.20, >= 5.3, < 5.3.17, >= 5.4, < 5.4.15, >= 5.5, < 5.5.14, >= 5.6, < 5.6.13, >= 5.7, < 5.7.11, >= 5.8, < 5.8.9, >= 5.9, < 5.9.9, >= 6.0, < 6.0.7, >= 6.1, < 6.1.5, >= 6.2, < 6.2.4, >= 6.3, < 6.3.3, >= 6.4.0, < 6.4.37.6 HIGH

WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is set to `true` are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable.

>= 6.3, < 6.3.2, >= 6.2, < 6.2.3, >= 6.1, < 6.1.4, >= 6.0, < 6.0.6, >= 5.9, < 5.9.8, >= 5.8, < 5.8.8, >= 5.7, < 5.7.10, >= 5.6, < 5.6.12, >= 5.5, < 5.5.13, >= 5.4, < 5.4.14, >= 5.3, < 5.3.16, >= 5.2, < 5.2.19, >= 5.1, < 5.1.17, >= 5.0, < 5.0.20, >= 4.9, < 4.9.24, >= 4.8, < 4.8.23, >= 4.7, < 4.7.275.3 MEDIUM

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

>= 6.2, <= 6.2.2, >= 6.1, <= 6.1.3, >= 6.0, <= 6.0.5, >= 5.9, <= 5.9.7, >= 6.3, < 6.3.2, >= 5.8, <= 5.8.7, >= 5.7, <= 5.7.9, >= 5.6, <= 5.6.11, >= 5.5, <= 5.5.12, >= 5.4, <= 5.4.13, >= 5.3, <= 5.3.15, >= 5.2, <= 5.2.18, >= 5.1, <= 5.1.16, >= 5.0, <= 5.0.19, >= 4.9, <= 4.9.23, >= 4.8, <= 4.8.22, >= 4.7, <= 4.7.26, >= 4.6, <= 4.6.26, >= 4.5, <= 4.5.29, >= 4.4, <= 4.4.30, >= 4.3, <= 4.3.31, >= 4.2, <= 4.2.35, >= 4.1, <= 4.1.384.3 MEDIUM

Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38.

>= 6.3, <= 6.3.1, >= 6.2, <= 6.2.2, >= 6.1, <= 6.1.3, >= 6.0, <= 6.0.5, >= 5.9, <= 5.9.76.5 MEDIUM

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.

= 6.2, >= 6.1, < 6.1.2, >= 6.0, < 6.0.4, >= 5.9, < 5.9.6, >= 5.8, < 5.8.7, >= 5.6, < 5.6.11, >= 5.5, < 5.5.12, >= 5.4, < 5.4.13, >= 5.3, < 5.3.15, >= 5.2, < 5.2.18, >= 5.1, < 5.1.16, >= 5.0, < 5.0.19, >= 4.9, < 4.9.23, >= 4.8, < 4.8.22, >= 4.7, < 4.7.26, >= 4.6, < 4.6.26, >= 4.5, < 4.5.29, >= 4.4, < 4.4.30, >= 4.3, < 4.3.31, >= 4.2, < 4.2.35, >= 5.7, < 5.7.9, < 4.1.385.4 MEDIUM

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.

<= 6.1.15.3 MEDIUM

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.

>= 4.2, <= 6.1.1, = 4.15.9 MEDIUM

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

= *, >= 6.0, < 6.0.3, >= 5.9, < 5.9.5, >= 5.8, < 5.8.6, >= 5.7, < 5.7.8, >= 5.6, < 5.6.10, >= 5.5, < 5.5.11, >= 5.4, < 5.4.12, >= 5.3, < 5.3.14, >= 5.2, < 5.2.17, >= 5.1, < 5.1.15, >= 5.0, < 5.0.18, >= 4.9, < 4.9.22, >= 4.8, < 4.8.21, >= 4.7, < 4.7.25, >= 4.6, < 4.6.25, >= 4.5, < 4.5.28, >= 4.4, < 4.4.29, >= 4.3, < 4.3.30, >= 4.2, < 4.2.34, >= 4.1, < 4.1.37, >= 4.0, < 4.0.37, >= 3.9, < 3.9.39, >= 3.8, < 3.8.40, < 3.7.405.3 MEDIUM

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.

= *, >= 6.0, < 6.0.3, >= 5.9, < 5.9.5, >= 5.8, < 5.8.6, >= 5.7, < 5.7.8, >= 5.6, < 5.6.10, >= 5.5, < 5.5.11, >= 5.4, < 5.4.12, >= 5.3, < 5.3.14, >= 5.2, < 5.2.17, >= 5.1, < 5.1.15, >= 5.0, < 5.0.18, >= 4.9, < 4.9.22, >= 4.8, < 4.8.21, >= 4.7, < 4.7.25, >= 4.6, < 4.6.25, >= 4.5, < 4.5.28, >= 4.4, < 4.4.29, >= 4.3, < 4.3.30, >= 4.2, < 4.2.34, >= 4.1, < 4.1.37, >= 4.0, < 4.0.37, >= 3.9, < 3.9.39, >= 3.8, < 3.8.40, < 3.7.406.1 MEDIUM

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.

= *, >= 6.0, < 6.0.3, >= 5.9, < 5.9.5, >= 5.8, < 5.8.6, >= 5.7, < 5.7.8, >= 5.6, < 5.6.10, >= 5.5, < 5.5.11, >= 5.4, < 5.4.12, >= 5.3, < 5.3.14, >= 5.2, < 5.2.17, >= 5.1, < 5.1.15, >= 5.0, < 5.0.18, >= 4.9, < 4.9.22, >= 4.8, < 4.8.21, >= 4.7, < 4.7.25, >= 4.6, < 4.6.25, >= 4.5, < 4.5.28, >= 4.4, < 4.4.29, >= 4.3, < 4.3.30, >= 4.2, < 4.2.34, >= 4.1, < 4.1.37, >= 4.0, < 4.0.37, >= 3.9, < 3.9.39, >= 3.8, < 3.8.40, < 3.7.406.1 MEDIUM

Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.

= 5.1

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

>= 3.1, < 3.1.2, < 3.0.66.5 MEDIUM4 MEDIUM

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission.

< 5.8.37.4 HIGH6.5 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

< 5.8.36.6 MEDIUM6.5 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

< 5.8.38 HIGH3.5 LOW

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

= *, >= 3.7, < 3.7.37, >= 3.8, < 3.8.37, >= 3.9, < 3.9.35, >= 4.0, < 4.0.34, >= 4.1, < 4.1.34, >= 4.2, < 4.2.31, >= 4.3, < 4.3.27, >= 4.4, < 4.4.26, >= 4.5, < 4.5.25, >= 4.6, < 4.6.22, >= 4.7, < 4.7.22, >= 4.8, < 4.8.18, >= 4.9, < 4.9.19, >= 5.0, < 5.0.15, >= 5.1, < 5.1.12, >= 5.2, < 5.2.14, >= 5.3, < 5.3.11, >= 5.4, < 5.4.9, >= 5.5, < 5.5.8, >= 5.6, < 5.6.7, >= 5.7, < 5.7.5, >= 5.8, < 5.8.38 HIGH5 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

< 5.88.1 HIGH7.5 HIGH

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

>= 5.2, < 5.8.15.3 MEDIUM4.3 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf. This has been patched in WordPress 5.8.1, along with any older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

= 5.87.6 HIGH3.5 LOW

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

>= 5.0, < 5.87.6 HIGH3.5 LOW

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/ https://hackerone.com/reports/1142140 ### For more information If you have any questions or comments about this advisory: * Open an issue in [HackerOne](https://hackerone.com/wordpress)

= 5.86.8 MEDIUM6 MEDIUM

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release.

>= 5.7, < 5.7.2, >= 5.6, < 5.6.4, >= 5.5, < 5.5.5, >= 5.4, < 5.4.6, >= 4.6, < 4.6.21, >= 4.7, < 4.7.21, >= 4.8, < 4.8.17, >= 4.9, < 4.9.18, >= 5.0, < 5.0.13, >= 3.7, < 3.7.36, >= 3.8, < 3.8.36, >= 3.9, < 3.9.34, >= 4.0, < 4.0.33, >= 4.1, < 4.1.33, >= 4.2, < 4.2.30, >= 4.3, < 4.3.26, >= 4.4, < 4.4.25, >= 4.5, < 4.5.24, >= 5.1, < 5.1.10, >= 5.2, < 5.2.11, >= 5.3, < 5.3.89.8 CRITICAL7.5 HIGH

PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.

>= 4.7, < 5.7.16.5 MEDIUM4 MEDIUM

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

>= 5.6.0, < 5.7.17.1 HIGH4 MEDIUM

Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

< 5.5.26.1 MEDIUM4.3 MEDIUM

WordPress before 5.5.2 allows stored XSS via post slugs.

< 5.5.29.1 CRITICAL6.4 MEDIUM

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

< 5.5.24.3 MEDIUM4.3 MEDIUM

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

< 5.5.29.8 CRITICAL7.5 HIGH

WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.

< 5.5.29.8 CRITICAL7.5 HIGH

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).

< 5.5.27.5 HIGH5 MEDIUM

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

< 5.5.26.1 MEDIUM4.3 MEDIUM

WordPress before 5.5.2 allows XSS associated with global variables.

< 5.5.29.8 CRITICAL7.5 HIGH

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

< 5.5.29.8 CRITICAL7.5 HIGH

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

<= 5.5.18.8 HIGH9 HIGH

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.

< 5.4.25.3 MEDIUM5 MEDIUM

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.23.5 LOW6 MEDIUM

In affected versions of WordPress, misuse of the `set-screen-option` filter's return value allows arbitrary user meta fields to be saved. It does require an admin to install a plugin that would misuse the filter. Once installed, it can be leveraged by low privileged users. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.22.4 LOW3.5 LOW

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.25.7 MEDIUM4.9 MEDIUM

In affected versions of WordPress, due to an issue in wp_validate_redirect() and URL sanitization, an arbitrary external link can be crafted leading to unintended/open redirect when clicked. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.26.8 MEDIUM3.5 LOW

In affected versions of WordPress, authenticated users with upload permissions (like authors) are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

>= 3.7, < 3.7.34, >= 3.8, < 3.8.34, >= 3.9, < 3.9.32, >= 4.0, < 4.0.31, >= 4.1, < 4.1.31, >= 4.2, < 4.2.28, >= 4.3, < 4.3.24, >= 4.4, < 4.4.23, >= 4.5, < 4.5.22, >= 4.6, < 4.6.19, >= 4.7, < 4.7.18, >= 4.8, < 4.8.14, >= 4.9, < 4.9.15, >= 5.0, < 5.0.10, >= 5.1, < 5.1.6, >= 5.2, < 5.2.7, >= 5.3.0, < 5.3.4, >= 5.4, < 5.4.25.4 MEDIUM3.5 LOW

In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34).

= *, = 5.4, >= 5.3, < 5.3.3, >= 5.2, < 5.2.6, >= 5.1, < 5.1.5, >= 5.0, < 5.0.9, >= 4.9, < 4.9.14, >= 4.8, < 4.8.13, >= 4.7, < 4.7.17, >= 4.6, < 4.6.18, >= 4.5, < 4.5.21, >= 4.4, < 4.4.22, >= 4.3, < 4.3.23, >= 4.2, < 4.2.27, >= 4.1, < 4.1.30, >= 4.0, < 4.0.30, >= 3.9, < 3.9.31, >= 3.8, < 3.8.33, >= 3.7, < 3.7.338.7 HIGH3.5 LOW

In affected versions of WordPress, files with a specially crafted name when uploaded to the Media section can lead to script execution upon accessing the file. This requires an authenticated user with privileges to upload files. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

< 5.4.16.4 MEDIUM3.5 LOW

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

= *, = 5.4, >= 5.3, < 5.3.3, >= 5.2, < 5.2.6, >= 5.1, < 5.1.5, >= 5.0, < 5.0.9, >= 4.9, < 4.9.14, >= 4.8, < 4.8.13, >= 4.7, < 4.7.17, >= 4.6, < 4.6.18, >= 4.5, < 4.5.21, >= 4.4, < 4.4.22, >= 4.3, < 4.3.23, >= 4.2, < 4.2.27, >= 4.1, < 4.1.30, >= 4.0, < 4.0.30, >= 3.9, < 3.9.31, >= 3.8, < 3.8.33, >= 3.7, < 3.7.335.8 MEDIUM4.3 MEDIUM

In affected versions of WordPress, a vulnerability in the stats() method of class-wp-object-cache.php can be exploited to execute cross-site scripting (XSS) attacks. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

< 5.4.15.8 MEDIUM4.3 MEDIUM

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

= *, = 5.4, >= 5.3, < 5.3.3, >= 5.2, < 5.2.6, >= 5.1, < 5.1.5, >= 5.0, < 5.0.9, >= 4.9, < 4.9.14, >= 4.8, < 4.8.13, >= 4.7, < 4.7.17, >= 4.6, < 4.6.18, >= 4.5, < 4.5.21, >= 4.4, < 4.4.22, >= 4.3, < 4.3.23, >= 4.2, < 4.2.27, >= 4.1, < 4.1.30, >= 4.0, < 4.0.30, >= 3.9, < 3.9.31, >= 3.8, < 3.8.33, >= 3.7, < 3.7.336.1 MEDIUM5.5 MEDIUM

In affected versions of WordPress, a password reset link emailed to a user does not expire upon changing the user password. Access would be needed to the email account of the user by a malicious party for successful execution. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

>= 4.7, < 5.4.15.8 MEDIUM3.5 LOW

In affected versions of WordPress, a cross-site scripting (XSS) vulnerability in the navigation section of Customizer allows JavaScript code to be executed. Exploitation requires an authenticated user. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

< 5.3.19.8 CRITICAL7.5 HIGH

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

= *, >= 3.7, < 5.3.14.3 MEDIUM5 MEDIUM

In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in WordPress 3.7 to 5.3.0, authenticated users who do not have the rights to publish a post are able to mark posts as sticky or unsticky via the REST API. For example, the contributor role does not have such rights, but this allowed them to bypass that. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

= *, >= 3.7, < 5.3.16.1 MEDIUM4.3 MEDIUM

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

= 3.7, > 3.7, < 5.3.15.8 MEDIUM3.5 LOW

WordPress users with lower privileges (like contributors) can inject JavaScript code in the block editor using a specific payload, which is executed within the dashboard. This can lead to XSS if an admin opens the post in the editor. Execution of this attack does require an authenticated user. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release. Automatic updates are enabled by default for minor releases and we strongly recommend that you keep them enabled.

< 5.3.15.8 MEDIUM3.5 LOW

In WordPress before 5.3.1, authenticated users with lower privileges (like contributors) can inject JavaScript code in the block editor, which is executed within the dashboard. It can lead to an admin opening the affected post in the editor leading to XSS.

< 5.2.45.4 MEDIUM3.5 LOW

WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer.

< 5.2.46.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

< 5.2.47.5 HIGH5 MEDIUM

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.

< 5.2.48.8 HIGH6.8 MEDIUM

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.

< 5.2.45.3 MEDIUM5 MEDIUM

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

< 5.2.49.8 CRITICAL7.5 HIGH

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

< 5.2.49.8 CRITICAL7.5 HIGH

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 allows reflected XSS in the dashboard.

< 5.2.35.4 MEDIUM3.5 LOW

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

< 5.2.36.1 MEDIUM5.8 MEDIUM

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 allows XSS in shortcode previews.

< 5.2.36.1 MEDIUM4.3 MEDIUM

WordPress before 5.2.3 allows XSS in stored comments.

= 4.7.25 MEDIUM

WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.

< 5.1.16.8 MEDIUM

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

< 4.9.9, = 5.06.5 MEDIUM

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.

<= 5.0.36.5 MEDIUM4 MEDIUM

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

>= 5.0, < 5.0.1, < 4.9.97.5 HIGH

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

>= 5.0, < 5.0.1, < 4.9.93.5 LOW

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS.

>= 5.0, < 5.0.1, < 4.9.94 MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.

>= 5.0, < 5.0.1, < 4.9.95 MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

>= 5.0, < 5.0.1, < 4.9.94.3 MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.

>= 5.0, < 5.0.1, < 4.9.93.5 LOW

In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

>= 5.0, < 5.0.1, < 4.9.95.5 MEDIUM

In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.

>= 3.7, <= 5.78.8 HIGH6.8 MEDIUM

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

<= 4.9.86.5 MEDIUM

WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution due to an incomplete fix for CVE-2017-1000600. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time.

< 4.96.5 MEDIUM

WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9

= 4.9.76.5 MEDIUM

In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

< 4.9.78.8 HIGH6.5 MEDIUM

WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.

< 4.9.54.3 MEDIUM

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

< 4.9.55.8 MEDIUM

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

< 4.9.55.8 MEDIUM

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

< 4.4.05 MEDIUM

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

<= 4.9.25 MEDIUM

In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times.

< 4.9.24.3 MEDIUM

WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).

< 4.9.13.5 LOW

wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL.

< 4.9.13.5 LOW

wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site.

< 4.9.13.5 LOW

wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file.

<= 4.96.5 MEDIUM

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

<= 4.8.27.5 HIGH

WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.

<= 4.8.25 MEDIUM

WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.

<= 4.8.22.6 LOW

WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

= 4.8.24 MEDIUM

WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability).

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.

<= 4.8.14.9 MEDIUM

Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.

= 4.7.1, = 4.7, = 4.7.2, = 4.7.3, = 4.7.4, = 4.7.5, = 4.8, = 4.8.15 MEDIUM

Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.

<= 4.8.17.5 HIGH

Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.

= 3.0.5, = 4.0.1, = 3.6.1, = 4.1.1, = 3.7, = 3.9.3, = 3.0.2, = 3.2.1, = 3.1.4, = 4.7.1, = 3.8.3, = 4.0, = 3.9.2, = 4.5.3, = 3.8.2, = 3.2, = 3.0.4, = 3.7.4, = 3.7.1, = 3.3.3, = 3.1.3, = 3.1.2, = 3.0.1, = 3.0, = 3.6, = 3.3.2, = 3.1, = 4.7.2, = 4.6.6, = 4.6.5, = 4.6.4, = 4.5.7, = 4.5.6, = 3.9.1, = 3.8.4, = 3.8.1, = 3.8, = 4.7, = 4.8.1, = 4.6.7, = 4.5.9, = 4.5.8, = 4.7.5, = 4.8, = 4.6.1, = 4.6, = 3.4.2, = 3.4.1, = 3.0.3, = 3.3.1, = 3.1.1, = 4.7.3, = 4.7.4, = 4.6.3, = 4.6.2, = 4.5.5, = 4.5.4, = 4.4.1, = 4.1, = 3.9, = 3.5.1, = 3.3, = 3.0.6, = 4.5, = 4.4.9, = 4.4.11, = 4.4.10, = 4.3.5, = 4.3.4, = 4.3, = 4.2.9, = 4.2.16, = 4.2.15, = 4.2, = 4.1.9, = 4.1.2, = 4.1.19, = 4.1.11, = 4.1.10, = 4.0.5, = 4.0.4, = 4.5.10, = 4.5.1, = 4.4.4, = 4.4.3, = 4.4.2, = 4.3.7, = 4.3.6, = 4.3.10, = 4.3.1, = 4.2.4, = 4.2.3, = 4.2.2, = 4.2.10, = 4.2.1, = 4.1.4, = 4.1.3, = 4.1.13, = 4.1.12, = 4.0.7, = 4.0.6, = 4.5.2, = 4.4.6, = 4.4.5, = 4.3.9, = 4.3.8, = 4.3.12, = 4.3.11, = 4.2.6, = 4.2.5, = 4.2.12, = 4.2.11, = 4.1.6, = 4.1.5, = 4.1.16, = 4.1.15, = 4.1.14, = 4.0.9, = 4.0.8, = 4.0.19, = 4.4.8, = 4.4.7, = 4.4, = 4.3.3, = 4.3.2, = 4.2.8, = 4.2.7, = 4.2.14, = 4.2.13, = 4.1.8, = 4.1.7, = 4.1.18, = 4.1.17, = 4.0.3, = 4.0.2, = 4.0.15, = 4.0.14, = 3.9.8, = 3.9.7, = 3.9.19, = 3.9.18, = 3.9.11, = 3.9.10, = 3.8.17, = 3.8.16, = 4.0.17, = 4.0.16, = 3.9.9, = 3.9.20, = 3.9.13, = 3.9.12, = 3.8.6, = 3.8.5, = 3.8.19, = 4.0.18, = 4.0.10, = 3.9.4, = 3.9.15, = 3.9.14, = 3.8.8, = 3.8.7, = 3.8.20, = 3.8.13, = 3.8.12, = 3.7.6, = 3.7.5, = 3.7.19, = 3.7.18, = 3.7.11, = 3.7.10, = 3.8.18, = 3.8.11, = 3.8.10, = 3.7.3, = 3.7.17, = 3.7.16, = 3.4, = 3.7.9, = 3.7.22, = 3.7.21, = 3.7.15, = 3.7.14, = 3.5.2, = 4.0.13, = 4.0.12, = 4.0.11, = 3.9.6, = 3.9.5, = 3.9.17, = 3.9.16, = 3.8.9, = 3.8.22, = 3.8.21, = 3.8.15, = 3.8.14, = 3.7.8, = 3.7.7, = 3.7.20, = 3.7.2, = 3.7.13, = 3.7.12, = 3.55 MEDIUM

Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.

<= 4.8.14.3 MEDIUM

Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL.

<= 4.7.45 MEDIUM

In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.

<= 4.7.45 MEDIUM

In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.

<= 4.7.44.3 MEDIUM

In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.

<= 4.7.45 MEDIUM

In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.

<= 4.7.44.3 MEDIUM

In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.

<= 4.7.46.8 MEDIUM

In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.

<= 4.7.44.3 MEDIUM

WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for this message to bounce or be resent, leading to transmission of the reset key to a mailbox on an attacker-controlled SMTP server. This is related to problematic use of the SERVER_NAME variable in wp-includes/pluggable.php in conjunction with the PHP mail function. Exploitation is not achievable in all cases because it requires at least one of the following: (1) the attacker can prevent the victim from receiving any e-mail messages for an extended period of time (such as 5 days), (2) the victim's e-mail system sends an autoresponse containing the original message, or (3) the victim manually composes a reply containing the original message.

= 4.7.1, = 4.7, = 4.7.25 MEDIUM

The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.

<= 4.7.24.3 MEDIUM

In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.

<= 4.7.23.5 LOW

In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.

<= 4.7.24.3 MEDIUM

In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.

<= 4.7.25.8 MEDIUM

In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.

<= 4.7.25.5 MEDIUM

In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.

<= 4.7.23.5 LOW

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.

<= 4.7.15 MEDIUM

wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.

<= 4.7.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.

<= 4.7.19.8 CRITICAL7.5 HIGH

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.

= 4.5.35.5 MEDIUM

Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

<= 4.5.54.3 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.

<= 4.5.54 MEDIUM

The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.

<= 4.75 MEDIUM

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

<= 4.76.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.

<= 4.74.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

<= 4.74.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) version header of a plugin.

<= 4.75 MEDIUM

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

<= 4.75 MEDIUM

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

<= 4.76.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.

<= 4.66.5 MEDIUM

Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter.

<= 4.63.5 LOW

Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.

<= 4.79.8 CRITICAL7.5 HIGH

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.

<= 4.79.8 CRITICAL7.5 HIGH

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.

<= 4.4.26.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option.

<= 4.4.44.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

= *, < 4.58.6 HIGH5 MEDIUM

WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.

<= 4.5.25 MEDIUM

WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.

<= 4.5.25 MEDIUM

WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.

<= 4.5.25 MEDIUM

WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.

<= 4.5.25 MEDIUM

The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.

<= 4.5.25 MEDIUM

WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.

<= 4.5.24.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.

<= 4.5.24.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.

<= 4.5.25 MEDIUM

The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.

<= 4.5.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."

<= 4.5.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.

= 4.4.15 MEDIUM

The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php.

<= 4.4.15.8 MEDIUM

Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL.

<= 4.4.04.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.

<= 4.2.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440.

<= 4.3.03.5 LOW

Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714.

<= 4.3.04 MEDIUM

The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors.

<= 4.3.04.3 MEDIUM

Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags.

<= 4.2.34.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string.

<= 4.2.34.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title.

<= 4.2.34.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title.

<= 4.2.36.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action.

<= 4.2.35 MEDIUM

The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.

<= 4.2.37.5 HIGH

SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash.

= 4.0.1, = 4.1.1, = 3.9.3, = 3.9.2, = 3.9.0, = 4.0, = 4.1, = 3.9.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.

<= 4.1.14.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.

<= 4.2.24 MEDIUM

WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.

<= 4.2.23.5 LOW

Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php.

<= 4.24.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.

<= 4.2.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier.

= 3.8.3, = 3.9.2, = 3.8.2, = 4.0, = 3.8, = 3.8.1, = 3.9.1, = 3.8.4, <= 3.7.4, = 3.94.3 MEDIUM

wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message.

= 3.8.3, = 3.9.2, = 3.8.2, = 4.0, = 3.8, = 3.8.1, = 3.9.1, = 3.8.4, <= 3.7.4, = 3.96.4 MEDIUM

wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource.

= 3.8.3, = 3.9.2, = 3.8.2, = 4.0, = 3.8, = 3.8.1, = 3.9.1, = 3.8.4, <= 3.7.4, = 3.96.8 MEDIUM

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash.

= 3.8.3, = 3.9.2, = 3.8.2, = 4.0, = 3.8, = 3.8.1, = 3.9.1, = 3.8.4, <= 3.7.4, = 3.94.3 MEDIUM

Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post.

= 3.8.3, = 3.9.2, = 3.8.2, = 4.0, = 3.8, = 3.8.1, = 3.9.1, = 3.8.4, <= 3.7.4, = 3.94.3 MEDIUM

Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

= 3.8.3, = 3.9.2, = 3.8.2, = 4.0, = 3.8, = 3.8.1, = 3.9.1, = 3.8.4, <= 3.7.4, = 3.95 MEDIUM

wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.

= 3.9.2, = 3.7.4, = 4.0, = 3.8.46.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords.

= 3.9.2, = 4.0, = 3.9.1, = 3.94.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

= 3.8.3, = 3.9.2, = 3.8.2, = 3.8, = 3.8.1, = 3.9.1, = 3.8.4, <= 3.7.4, = 3.94.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post.

= 0.707.5 HIGH

PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable.

<= 0.77.5 HIGH

SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

= 3.0.5, = 3.4.0, = 3.6.1, = 3.7, = 3.5.0, = 3.0.2, = 3.2.1, = 3.1.4, = 3.0, = 3.0.6, = 3.1, = 3.1.1, = 3.6, = 3.0.1, = 3.1.3, = 3.2, = 3.3.2, = 3.8, = 3.3.1, = 3.9.0, <= 3.9.1, = 3.0.4, = 3.1.2, = 3.3.3, = 3.7.1, = 3.8.1, = 3.5.1, = 3.0.3, = 3.4.2, = 3.3, = 3.4.12.1 LOW

Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.

= 3.0.5, = 3.4.0, = 3.6.1, = 3.7, = 3.5.0, = 3.0.2, = 3.2.1, = 3.1.4, = 3.0, = 3.0.1, = 3.3.1, = 3.3.2, = 3.3.3, = 3.0.4, = 3.0.6, = 3.2, = 3.8.1, <= 3.9.1, = 3.1.1, = 3.1.2, = 3.1.3, = 3.6, = 3.7.1, = 3.8, = 3.1, = 3.9.0, = 3.0.3, = 3.3, = 3.4.1, = 3.4.2, = 3.5.15 MEDIUM

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.

= 3.0.5, = 3.4.0, = 3.6.1, = 3.7, = 3.5.0, = 3.0.2, = 3.2.1, = 3.1.4, = 3.0, = 3.0.1, = 3.3.1, = 3.3.2, = 3.3.3, = 3.1, = 3.1.1, = 3.1.2, = 3.1.3, = 3.6, = 3.7.1, = 3.0.4, = 3.0.6, = 3.2, = 3.8.1, <= 3.9.1, = 3.8, = 3.9.0, = 3.3, = 3.4.1, = 3.0.3, = 3.4.2, = 3.5.15 MEDIUM

The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

<= 3.9.1, = 3.9.06.8 MEDIUM

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

<= 3.9.1, = 3.9.06.8 MEDIUM

wp-includes/pluggable.php in WordPress before 3.9.2 does not use delimiters during concatenation of action values and uid values in CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack.

= 3.9.0, = 3.9.17.5 HIGH

wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in videoplayer/autoplay.php in the HTML5 Video Player with Playlist plugin 2.4.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) theme or (2) playlistmod parameter.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in yupdates_application.php in the Yahoo! Updates for WordPress plugin 1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) secret, (2) key, or (3) appid parameter.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in contact/edit.php in the WP Ultimate Email Marketer plugin 1.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) listname or (2) contact parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in fpg_preview.php in the Flash Photo Gallery plugin 0.7 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the path parameter.

all versions5 MEDIUM

Directory traversal vulnerability in the Google Doc Embedder plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to libs/pdf.php.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Search Everything plugin before 8.1.1 for WordPress allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

all versions5 MEDIUM

The TinyMCE Color Picker plugin before 1.2 for WordPress does not properly check permissions, which allows remote attackers to modify plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. NOTE: some of these details are obtained from third party information.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Contact Bank plugin before 2.0.20 for WordPress allows remote attackers to inject arbitrary web script or HTML via the Label field, related to form layout configuration. NOTE: some of these details are obtained from third party information.

all versions6.5 MEDIUM

SQL injection vulnerability in dopbs-backend-forms.php in the Booking System (Booking Calendar) plugin before 1.3 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the booking_form_id parameter to wp-admin/admin-ajax.php.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Stream Video Player plugin 1.4.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 3.6.1, = 2.8.6, = 2.0, = 2.8.4, = 3.1.4, = 3.0.2, = 2.2, = 2.0.6, = 1.6.2, = 1.1.1, = 2.1.1, = 2.0.4, = 2.0.2, = 1.2.4, = 2.1, = 3.7, = 3.5.0, = 3.2.1, = 2.2.3, = 2.0.1, = 1.2.1, = 3.6, = 3.1, <= 3.7.1, = 3.1.3, = 2.8, = 2.7.1, = 2.5.1, = 2.2.1, = 2.0.5, = 1.5.2, = 1.3.2, = 1.0.2, = 3.3.3, = 3.0.1, = 3.0, = 2.7, = 2.6.5, = 2.3.3, = 2.1.3, = 2.1.2, = 1.2.5, = 1.0.1, = 2.8.3, = 2.6.3, = 2.6.2, = 2.3.1, = 2.0.9, = 1.5.1.1, = 0.71, = 3.2, = 3.0.4, = 2.9, = 2.8.1, = 2.2.2, = 2.0.7, = 3.5.1, = 3.3.1, = 3.3, = 3.0.6, = 2.9.2, = 2.9.1.1, = 3.8, = 3.4.1, = 3.0.3, = 2.5, = 1.3, = 3.8.1, = 3.3.2, = 3.1.2, = 3.1.1, = 2.8.5.1, = 2.8.5, = 2.3.2, = 1.5.1.3, = 1.5.1.2, = 1.0, = 2.3, = 2.0.10, = 1.5.1, = 1.2.2, = 3.4.2, = 2.9.1, = 2.8.2, = 2.6.1, = 2.6, = 2.0.8, = 1.5, = 1.26.4 MEDIUM

The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 3.6.1, = 2.8.6, = 2.0, = 3.7, = 3.1.4, = 3.0.2, = 2.1.1, = 2.0.2, = 1.2.4, = 2.0.6, = 1.6.2, = 1.2.1, = 1.1.1, = 2.2, = 2.0.4, = 3.5.0, = 3.2.1, = 2.8.4, = 2.2.3, = 2.1, = 2.0.1, <= 3.7.1, = 3.2, = 3.0.4, = 2.9, = 3.3.3, = 3.1.3, = 3.0.1, = 3.6, = 3.1, = 3.0, = 2.6.5, = 2.6.3, = 2.3.1, = 2.1.2, = 1.5.1.1, = 0.71, = 2.8.1, = 2.5.1, = 2.2.2, = 2.2.1, = 2.0.7, = 1.3.2, = 2.8, = 2.7.1, = 2.7, = 2.3.3, = 2.1.3, = 2.0.5, = 1.5.2, = 1.2.5, = 1.0.2, = 1.0.1, = 2.8.3, = 2.6.2, = 2.0.9, = 3.4.2, = 3.4.1, = 3.0.3, = 3.8, = 3.8.1, = 2.8.5.1, = 3.3.2, = 3.3.1, = 3.1.2, = 3.1.1, = 2.9.2, = 2.8.5, = 2.3.2, = 1.5.1.2, = 1.0, = 2.8.2, = 2.6, = 2.0.8, = 1.2, = 2.5, = 1.5.1.3, = 1.3, = 3.5.1, = 3.3, = 3.0.6, = 2.9.1.1, = 2.9.1, = 2.6.1, = 2.3, = 2.0.10, = 1.5.1, = 1.5, = 1.2.24 MEDIUM

WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php.

all versions5 MEDIUM

Directory traversal vulnerability in the zing_forum_output function in forum.php in the Zingiri Forum (aka Forums) plugin before 1.4.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter to index.php.

all versions7.5 HIGH

Multiple SQL injection vulnerabilities in wpf.class.php in the Mingle Forum plugin before 1.0.34 for WordPress allow remote attackers to execute arbitrary SQL commands via the id parameter in a viewtopic (1) remove_post, (2) sticky, or (3) closed action or (4) thread parameter in a postreply action to index.php.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Mingle Forum plugin before 1.0.34 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) search_words parameter in a search action to wpf.class.php or (2) togroupusers parameter in an add_user_togroup action to fs-admin/fs-admin.php.

all versions5 MEDIUM

Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Thank You Counter Button plugin 1.8.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) thanks_caption, (2) thanks_caption_style, or (3) thanks_style parameter to wp-admin/options.php.

all versions7.5 HIGH

SQL injection vulnerability in se_search_default in the Search Everything plugin before 7.0.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the s parameter to index.php. NOTE: some of these details are obtained from third party information.

all versions6.4 MEDIUM

Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_login.php or (2) delete arbitrary files via a .. (dot dot) in the s parameter to ls/rtmp_logout.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the CommentLuv plugin before 2.92.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _ajax_nonce parameter to wp-admin/admin-ajax.php.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889.

= 2.8.5.2, = 2.0.11, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.2, = 2.1, = 2.0.6, = 2.0.4, = 2.0.5, = 2.3.3, = 2.8.4, = 2.8, = 2.1.2, = 2.1.3, = 2.2, = 2.6.3, = 2.6.5, = 2.7.1, = 3.0, = 2.0.1, = 2.0.7, = 2.0.9, = 2.2.2, = 2.8.3, = 2.3.1, = 2.3.2, = 2.5, = 2.8.5, = 2.8.5.1, = 2.0.10, = 2.0.8, = 2.2.1, = 2.6, = 2.6.2, = 2.8.2, = 2.9.1, = 2.7, = 2.9.2, <= 3.0.1, = 2.3, = 2.5.1, = 2.6.1, = 2.8.1, = 2.9, = 2.9.1.15.8 MEDIUM

wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match.

= 3.0.5, = 3.0.2, = 3.2.1, = 3.1.4, = 3.0, = 3.2, = 3.0.1, = 3.1.3, = 3.0.4, = 3.1.2, <= 3.3.2, = 3.0.3, = 3.3, = 3.1.1, = 3.0.6, = 3.3.1, = 3.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-includes/default-filters.php in WordPress before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via an editable slug field.

<= 3.0.5, = 3.0.2, = 3.0, = 3.0.1, = 3.0.4, = 3.0.34 MEDIUM

wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role.

= 2.8.5.2, = 2.0.11, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.2, = 2.1, = 2.0.6, = 2.0.7, = 2.0.9, = 2.6.3, = 2.0.5, = 2.1.2, = 2.2, = 2.3.3, = 2.6.5, = 2.7.1, = 2.0.1, = 2.2.2, = 2.8.1, = 2.8.3, = 2.8.4, = 2.0.4, = 2.1.3, = 2.8, = 2.0.8, = 2.5.1, = 2.6, = 2.6.1, = 2.6.2, = 2.9, = 2.9.1, = 2.9.1.1, = 2.3.1, = 2.8.5, = 2.9.2, = 2.0.10, = 2.2.1, = 2.3, = 2.8.2, = 2.3.2, = 2.5, = 2.7, = 2.8.5.1, <= 3.02.1 LOW

WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change.

= 3.0.5, = 3.0.2, = 3.2.1, = 3.1.4, = 3.0, = 3.2, = 3.0.1, = 3.1.3, = 3.0.4, = 3.0.6, = 3.0.3, = 3.3.1, = 3.1.2, = 3.1, <= 3.3.2, = 3.3, = 3.1.16.4 MEDIUM

wp-admin/media-upload.php in WordPress before 3.3.3 allows remote attackers to obtain sensitive information or bypass intended media-attachment restrictions via a post_id value.

= 2.8.5.2, = 2.0.11, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.2, = 2.1, = 2.0.6, = 2.0.7, = 2.0.9, = 2.0.4, = 2.1.3, = 2.6.3, = 2.8.4, = 2.0.1, = 2.2, = 2.2.2, = 2.8, = 2.8.3, = 2.0.5, = 2.1.2, = 2.3.3, = 2.6.5, = 2.7.1, = 3.0, = 2.0.8, = 2.5, = 2.5.1, = 2.6, = 2.6.1, = 2.6.2, = 2.9, = 2.9.1, = 2.3, = 2.3.2, = 2.7, = 2.8.5.1, = 2.9.1.1, <= 3.0.1, = 2.2.1, = 2.8.1, = 2.8.2, = 2.0.10, = 2.3.1, = 2.8.5, = 2.9.24.9 MEDIUM

wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action.

= 2.8.5.2, = 2.0.11, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.2, = 2.1, = 2.0.6, = 2.0.4, = 2.0.5, = 2.0.7, = 2.3.3, = 2.1.2, = 2.6.5, = 2.8.4, = 2.1.3, = 2.2, = 2.2.2, = 2.7.1, = 2.8, = 3.0, = 2.0.1, = 2.0.9, = 2.6.3, = 2.8.3, = 2.0.8, = 2.5, = 2.5.1, = 2.6, = 2.8.5.1, = 2.9, = 2.0.10, = 2.3.1, = 2.6.2, = 2.8.5, = 2.9.1, = 2.9.2, = 2.2.1, = 2.8.1, = 2.8.2, = 2.3, = 2.3.2, = 2.6.1, = 2.7, = 2.9.1.1, <= 3.0.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action.

= 3.0.5, = 3.0.2, = 3.2.1, = 3.1.4, = 3.0, = 3.2, = 3.0.1, = 3.1.3, = 3.0.4, = 3.3.1, = 3.3, = 3.1.1, = 3.1, = 3.0.6, <= 3.3.2, = 3.0.3, = 3.1.24 MEDIUM

wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft.

= 2.8.5.2, = 2.0.11, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.2, = 2.1, = 2.0.6, = 2.0.4, = 2.0.5, = 2.0.7, = 2.3.3, = 2.0.1, = 2.0.9, = 2.2.2, = 2.6.3, = 2.8.3, = 2.8.4, = 2.1.2, = 2.1.3, = 2.2, = 2.6.5, = 2.7.1, = 2.8, = 3.0, = 2.3.2, = 2.5, = 2.5.1, = 2.8.5, = 2.8.5.1, = 2.3, = 2.6.1, = 2.9, = 2.9.1.1, = 2.2.1, = 2.7, = 2.8.1, <= 3.0.1, = 2.0.10, = 2.0.8, = 2.3.1, = 2.6, = 2.6.2, = 2.8.2, = 2.9.1, = 2.9.24.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Foliopress WYSIWYG plugin before 2.6.8.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in inc/raf_form.php in the Recommend to a friend plugin 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the current_url parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in views/video-management/preview_video.php in the S3 Video plugin before 0.983 for WordPress allows remote attackers to inject arbitrary web script or HTML via the base parameter.

all versions5 MEDIUM

Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the dew_file parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Ad-minister plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the key parameter in a delete action to wp-admin/tools.php.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in askapache-firefox-adsense.php in the AskApache Firefox Adsense plugin 3.0 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the aafireadcode parameter to wp-admin/options-general.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the WP-Cron Dashboard plugin 1.1.5 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the procname parameter to wp-admin/tools.php.

= 2.0, = 2.0.2, = 2.0.6, = 2.0.1, = 2.0.4, = 2.0.7, = 2.0.5, = 2.0.9, = 2.0.10, <= 2.0.11, = 2.0.86.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list.

all versions6.8 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the Mingle Forum plugin 1.0.34 and possibly earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) modify user privileges or (2) conduct cross-site scripting (XSS) attacks via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Comment Attachment plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Attachment field title."

all versions6.8 MEDIUM

Unrestricted file upload vulnerability in multi.php in Simple Dropbox Upload plugin before 1.8.8.1 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/wpdb/.

all versions6.8 MEDIUM

Unrestricted file upload vulnerability in lazyseo.php in the Lazy SEO plugin 1.1.9 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in lazy-seo/.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the BackWPup plugin before 3.0.13 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter to wp-admin/admin.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.

all versions7.5 HIGH

SQL injection vulnerability in wp-comments-post.php in the NOSpam PTI plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the comment_post_ID parameter.

<= 3.67.5 HIGH

WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string.

<= 3.63.5 LOW

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter.

<= 3.63.5 LOW

The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php.

<= 3.64.3 MEDIUM

The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file.

<= 3.67.5 HIGH

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations.

all versions7.5 HIGH

SQL injection vulnerability in testimonial.php in the IndiaNIC Testimonial plugin 2.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the custom_query parameter in a testimonial_add action to wp-admin/admin-ajax.php.

all versions6.8 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the IndiaNIC Testimonial plugin 2.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add a testimonial via an iNIC_testimonial_save action; (2) add a listing template via an iNIC_testimonial_save_listing_template action; (3) add a widget template via an iNIC_testimonial_save_widget action; insert cross-site scripting (XSS) sequences via the (4) project_name, (5) project_url, (6) client_name, (7) client_city, (8) client_state, (9) description, (10) tags, (11) video_url, or (12) is_featured, (13) title, (14) widget_title, (15) no_of_testimonials, (16) filter_by_country, (17) filter_by_tags, or (18) widget_template parameter to wp-admin/admin-ajax.php.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in ls/htmlchat.php in the VideoWhisper Live Streaming Integration plugin 4.25.3 and possibly earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) message parameter. NOTE: some of these details are obtained from third party information.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the ShareThis plugin before 7.0.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the sort parameter, a different vulnerability than CVE-2013-3262.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in files/installer.cleanup.php in the Duplicator plugin before 0.4.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the package parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in admin/admin.php in the Download Monitor plugin before 3.3.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the p parameter.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in admin/setting.php in the Xhanch - My Twitter plugin before 2.7.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change unspecified settings.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Shareaholic SexyBookmarks plugin 6.1.4.0 for WordPress allows remote attackers to hijack the authentication of users for requests that "manipulate plugin settings."

all versions2.6 LOW

Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Genetech Solutions Pie-Register plugin before 1.31 for WordPress, when "Allow New Registrations to set their own Password" is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) pass1 or (2) pass2 parameter in a register action. NOTE: some of these details are obtained from third party information.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the BuddyPress Extended Friendship Request plugin before 1.0.2 for WordPress, when the "Friend Connections" component is enabled, allows remote attackers to inject arbitrary web script or HTML via the friendship_request_message parameter to wp-admin/admin-ajax.php. NOTE: some of these details are obtained from third party information.

= 3.0.5, = 3.0.2, = 3.2.1, = 3.1.4, = 3.0, = 3.2, = 3.0.1, = 3.1.2, = 3.1.3, = 3.0.3, = 3.0.4, = 3.0.6, = 3.3, all versions, = 3.1, = 3.1.1, <= 3.3.14.3 MEDIUM

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.

all versions6.8 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in the Sharebar plugin 1.2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) modify buttons, or (3) insert cross-site scripting (XSS) sequences.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Dropdown Menu Widget plugin 1.9.1 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences.

= 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.6, = 2.0.7, = 2.1, = 2.1.2, = 1.2.4, = 1.1.1, = 2.1.3, = 2.0.1, = 1.2.1, = 3.5.0, = 2.0.4, = 1.6.2, = 3.3.3, = 2.8, = 2.2, = 2.8.4, = 2.0.2, = 1.3.2, = 3.3, = 2.2.1, = 2.3.3, = 2.6.3, = 1.5.1.1, = 1.2.5, = 2.6.2, = 2.2.2, = 2.6.5, = 2.5, = 2.8.3, = 2.7.1, = 1.2.2, = 1.0.2, <= 3.5.1, = 3.3.1, = 3.3.2, = 2.0.9, = 2.6.1, = 2.3.1, = 2.0.10, = 2.9.2, = 2.9, = 2.8.1, = 1.5.1.2, = 1.2, = 1.0.1, = 0.71, = 2.5.1, = 2.0.5, = 2.7, = 2.9.1, = 2.8.5.1, = 1.5.2, = 1.0, = 3.4.2, = 3.4.1, = 2.8.2, = 2.3.2, = 1.5, = 1.5.1, = 2.0.8, = 2.9.1.1, = 1.3, = 2.3, = 2.6, = 2.8.5, = 1.5.1.34.3 MEDIUM

WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

= 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 3.3.3, = 2.8, = 2.0.2, = 2.0.4, = 2.1.3, = 2.0.7, = 2.1, = 1.2.1, = 1.2.4, = 2.2, = 2.0.6, = 3.5.0, = 1.6.2, = 1.3.2, = 2.8.4, = 2.0.1, = 2.1.2, = 1.1.1, = 3.3.2, = 2.6.1, = 2.9.2, = 2.7, = 2.8.5.1, = 2.6.2, = 2.2.1, = 2.3.3, = 2.2.2, = 2.6.5, = 2.5, = 2.8.3, <= 3.5.1, = 2.5.1, = 2.0.9, = 2.3.1, = 2.0.5, = 2.9, = 2.9.1, = 2.8.1, = 1.5.2, = 1.0.1, = 1.2.5, = 0.71, = 1.2, = 1.0, = 3.3, = 3.3.1, = 2.6.3, = 2.0.10, = 2.7.1, = 1.5.1.1, = 1.5.1.2, = 1.2.2, = 1.0.2, = 2.0.8, = 2.6, = 2.9.1.1, = 3.4.1, = 2.3.2, = 2.8.2, = 1.5.1, = 3.4.2, = 1.5, = 1.5.1.3, = 1.3, = 2.3, = 2.8.54.3 MEDIUM

The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235.

= 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.2, = 2.0.4, = 1.6.2, = 1.3.2, = 3.3.3, = 2.8, = 2.8.4, = 2.0.2, = 2.1.3, = 2.0.1, = 2.1, = 2.1.2, = 1.2.4, = 1.1.1, = 2.0.6, = 2.0.7, = 1.2.1, = 3.5.0, = 3.3.2, = 2.5.1, = 2.0.9, = 2.3.1, = 2.0.5, = 2.9, = 2.9.1, = 2.8.5.1, = 2.8.1, = 1.5.2, = 1.0.1, = 0.71, = 3.3.1, = 2.6.1, = 2.0.10, = 2.9.2, = 2.7, = 1.5.1.2, = 1.2, = 1.0, = 3.3, = 2.6.3, = 2.8.3, = 2.7.1, = 1.5.1.1, = 1.2.2, = 1.0.2, = 2.6.2, = 2.2.1, = 2.3.3, = 2.2.2, = 2.6.5, = 2.5, = 1.2.5, <= 3.5.1, = 2.6, = 2.3, = 2.0.8, = 2.8.5, = 2.9.1.1, = 1.5.1.3, = 1.3, = 2.3.2, = 2.8.2, = 3.4.2, = 3.4.1, = 1.5, = 1.5.14 MEDIUM

WordPress before 3.5.2 does not properly check the capabilities of roles, which allows remote authenticated users to bypass intended restrictions on publishing and authorship reassignment via unspecified vectors.

= 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 3.3.3, = 2.8.4, = 2.1, = 2.1.2, = 1.2.4, = 1.1.1, = 2.0.4, = 2.0.6, = 1.6.2, = 2.1.3, = 2.8, = 2.0.1, = 2.0.2, = 1.2.1, = 2.2, = 2.0.7, = 1.3.2, = 3.5.0, = 3.3, = 3.3.1, = 2.6.3, = 2.6.1, = 2.9.2, = 2.7, = 1.5.1.1, = 1.5.1.2, = 3.3.2, = 2.0.9, = 2.2.1, = 2.3.1, = 2.2.2, = 2.9, = 2.6.5, = 2.8.1, = 1.0.1, = 1.2.5, = 0.71, <= 3.5.1, = 2.0.10, = 2.8.3, = 2.7.1, = 1.2.2, = 1.0.2, = 1.2, = 1.0, = 2.5.1, = 2.6.2, = 2.3.3, = 2.0.5, = 2.9.1, = 2.5, = 2.8.5.1, = 1.5.2, = 2.8.2, = 1.5.1.3, = 1.3, = 3.4.1, = 1.5, = 2.3, = 2.0.8, = 2.3.2, = 2.8.5, = 2.9.1.1, = 3.4.2, = 2.6, = 1.5.14.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of media files, (2) editing of media files, (3) installation of plugins, (4) updates to plugins, (5) installation of themes, or (6) updates to themes.

= 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.1.3, = 2.0.1, = 2.2, = 2.0.4, = 1.6.2, = 1.3.2, = 3.3.3, = 2.8, = 2.8.4, = 2.0.2, = 2.1, = 2.1.2, = 1.2.4, = 1.1.1, = 2.0.6, = 2.0.7, = 1.2.1, = 3.5.0, = 3.3, = 2.6.3, = 3.3.2, = 2.5.1, = 2.0.9, = 2.3.1, = 2.0.5, = 2.9, = 2.9.1, = 2.8.5.1, = 2.8.1, = 1.5.2, = 1.0.1, = 0.71, = 3.3.1, = 2.6.1, = 2.0.10, = 2.9.2, = 2.7, = 1.5.1.2, = 1.2, = 1.0, = 2.8.3, = 2.7.1, = 1.5.1.1, = 1.2.2, = 1.0.2, = 2.6.2, = 2.2.1, = 2.3.3, = 2.2.2, = 2.6.5, = 2.5, = 1.2.5, <= 3.5.1, = 2.3.2, = 2.6, = 2.3, = 2.0.8, = 2.8.5, = 2.9.1.1, = 1.5.1.3, = 1.3, = 2.8.2, = 3.4.2, = 3.4.1, = 1.5, = 1.5.14.3 MEDIUM

The default configuration of SWFUpload in WordPress before 3.5.2 has an unrestrictive security.allowDomain setting, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted web site.

= 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 3.3.3, = 2.8.4, = 2.0.1, = 2.0.2, = 1.1.1, = 2.1.3, = 2.2, = 2.0.6, = 2.0.7, = 3.5.0, = 2.1, = 1.2.1, = 1.2.4, = 2.8, = 2.0.4, = 1.6.2, = 1.3.2, = 3.3.1, = 2.6.3, = 2.0.10, = 2.1.2, = 2.9.2, = 2.7.1, = 1.5.1.2, = 1.0.2, = 1.2, = 2.6.2, = 2.2.1, = 2.3.1, = 2.9.1, = 2.6.5, = 2.8.1, = 1.2.5, = 0.71, <= 3.5.1, = 2.3.3, = 2.2.2, = 2.5, = 2.8.3, = 1.5.1.1, = 1.2.2, = 3.3.2, = 2.5.1, = 2.0.9, = 2.6.1, = 2.0.5, = 2.7, = 2.9, = 2.8.5.1, = 1.5.2, = 1.0, = 1.0.1, = 3.3, = 2.3, = 2.0.8, = 2.8.5, = 1.5.1.3, = 3.4.1, = 3.4.2, = 1.5, = 1.5.1, = 2.3.2, = 2.8.2, = 2.6, = 2.9.1.1, = 1.34.3 MEDIUM

moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.

= 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.1.3, = 1.2.1, = 3.5.0, = 3.3.3, = 2.8, = 2.8.4, = 2.0.1, = 2.0.2, = 2.1.2, = 1.3.2, = 2.2, = 2.0.6, = 2.0.7, = 2.1, = 1.2.4, = 2.0.4, = 1.6.2, = 1.1.1, = 2.5.1, = 2.6.2, = 2.3.1, = 2.2.2, = 2.9, = 2.9.1, = 2.6.5, = 2.5, = 2.8.3, = 1.5.2, = 0.71, <= 3.5.1, = 3.3, = 2.7, = 2.8.5.1, = 1.5.1.1, = 1.0.2, = 1.0, = 2.0.9, = 2.2.1, = 2.3.3, = 2.0.5, = 2.8.1, = 1.0.1, = 1.2.5, = 3.3.1, = 3.3.2, = 2.6.3, = 2.6.1, = 2.0.10, = 2.9.2, = 2.7.1, = 1.5.1.2, = 1.2.2, = 1.2, = 2.3.2, = 1.5, = 1.5.1, = 2.3, = 2.6, = 2.8.5, = 1.5.1.3, = 3.4.2, = 3.4.1, = 2.8.2, = 2.0.8, = 2.9.1.1, = 1.34.3 MEDIUM

WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message.

= 2.8.5.2, <= 3.5.0, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2, = 2.0.6, = 2.0.7, = 2.1, = 1.2.4, = 2.2.3, = 2.0.4, = 2.1.3, = 1.2.1, = 1.6.2, = 1.1.1, = 3.3.3, = 2.8, = 2.8.4, = 2.0.1, = 2.0.2, = 2.1.2, = 1.3.2, = 2.2.1, = 2.3.3, = 2.0.5, = 2.8.1, = 1.2.5, = 3.3.1, = 3.3.2, = 2.0.9, = 2.6.3, = 2.6.1, = 2.0.10, = 2.9.2, = 2.9, = 2.7.1, = 1.5.1.2, = 2.5.1, = 2.6.2, = 2.3.1, = 2.2.2, = 2.9.1, = 2.6.5, = 2.5, = 2.8.3, = 1.5.2, = 1.5, = 1.2.2, = 0.71, = 1.2, = 1.0.1, = 3.3, = 2.7, = 2.8.5.1, = 1.5.1.1, = 1.0.2, = 1.0, = 3.4.2, = 3.4.1, = 2.8.2, = 2.0.8, = 2.9.1.1, = 2.3.2, = 1.5.1, = 1.3, = 2.3, = 2.6, = 2.8.5, = 1.5.1.34.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post.

= 2.8.5.2, <= 3.5.0, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.1.3, = 2.2.3, = 2.0.1, = 1.2.1, = 2.0.4, = 2.0.6, = 1.6.2, = 2.8.4, = 2.0.7, = 2.1, = 2.1.2, = 1.2.4, = 1.1.1, = 3.3.3, = 2.8, = 2.2, = 2.0.2, = 1.3.2, = 2.6.2, = 2.2.2, = 2.0.10, = 2.6.5, = 2.5, = 2.8.3, = 2.7.1, = 1.2.2, = 1.0.2, = 3.3.2, = 2.0.9, = 2.6.1, = 2.3.1, = 2.9.2, = 2.9, = 2.8.1, = 1.5, = 1.2, = 1.0.1, = 0.71, = 3.3, = 3.3.1, = 2.2.1, = 2.3.3, = 2.6.3, = 1.5.1.1, = 1.5.1.2, = 1.2.5, = 2.5.1, = 2.0.5, = 2.7, = 2.9.1, = 2.8.5.1, = 1.5.2, = 1.0, = 2.3, = 2.3.2, = 2.8.5, = 1.5.1, = 2.0.8, = 2.9.1.1, = 1.3, = 3.4.1, = 2.8.2, = 3.4.2, = 2.6, = 1.5.1.36.4 MEDIUM

The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue.

= 2.8.5.2, <= 3.5.0, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 3.3.3, = 2.0, = 1.6.2, = 1.3.2, = 2.8, = 2.2, = 2.0.2, = 2.0.4, = 2.0.6, = 2.2.3, = 2.1.1, = 1.1.1, = 2.1.3, = 2.8.4, = 2.0.1, = 2.1, = 1.2.1, = 1.2.4, = 3.3.2, = 2.5.1, = 2.6.2, = 2.6.1, = 2.3.1, = 2.7, = 2.9, = 2.6.5, = 1.5.2, = 0.71, = 2.0.9, = 2.2.1, = 2.0.5, = 2.0.7, = 2.8.5.1, = 2.8.1, = 1.0.1, = 1.2.5, = 3.3.1, = 2.3.3, = 2.6.3, = 2.9.2, = 2.5, = 2.7.1, = 1.5.1.2, = 1.2, = 2.2.2, = 2.1.2, = 2.8.3, = 1.5.1.1, = 1.0.2, = 2.6, = 2.9.1, = 1.5, = 1.5.1, = 1.3, = 3.4.2, = 2.9.1.1, = 1.0, = 2.0.8, = 2.3.2, = 2.0.10, = 2.8.2, = 1.2.2, = 3.4.1, = 3.3, = 2.3, = 2.8.5, = 1.5.1.34.3 MEDIUM

Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter.

= 3.5.14.3 MEDIUM

wp-includes/class-phpass.php in WordPress 3.5.1, when a password-protected post exists, allows remote attackers to cause a denial of service (CPU consumption) via a crafted value of a certain wp-postpass cookie.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the GRAND FlAGallery plugin before 2.72 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter in a flag-manage-gallery action.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in widget_remove.php in the Feedweb plugin before 1.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wp_post_id parameter.

all versions7.5 HIGH

SQL injection vulnerability in settings.php in the Web Dorado Spider Video Player plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the theme parameter.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in user/obits.php in the WP FuneralPress plugin before 1.1.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) message, (2) photo-message, or (3) youtube-message parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter.

all versions7.5 HIGH

SQL injection vulnerability in playlist.php in the Spiffy XSPF Player plugin 0.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the playlist_id parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the commentid parameter in a wppa_manage_comments edit action.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Login With Ajax plugin before 3.1 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Facebook Members plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Easy AdSense Lite plugin before 6.10 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the FourSquare Checkins plugin before 1.3 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

all versions5 MEDIUM

Social Media Widget (social-media-widget) plugin 4.0 for WordPress contains an externally introduced modification (Trojan Horse), which allows remote attackers to force the upload of arbitrary files.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the All in One Webmaster plugin before 8.2.4 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the WP-DownloadManager plugin before 1.61 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

all versions7.5 HIGH

importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not require that authentication be enabled, which allows remote attackers to obtain sensitive information, or overwrite or delete files, via vectors involving a (1) direct request, (2) step=1 request, (3) step=2 or step=3 request, or (4) step=7 request.

all versions7.5 HIGH

importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress allows remote attackers to bypass authentication via a crafted integer in the step parameter.

all versions7.5 HIGH

importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not reliably delete itself after completing a restore operation, which makes it easier for remote attackers to obtain access via subsequent requests to this script.

all versions5 MEDIUM

importbuddy.php in the BackupBuddy plugin 2.2.25 for WordPress allows remote attackers to obtain configuration information via a step 0 phpinfo action, which calls the phpinfo function.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Terillion Reviews plugin before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ProfileId field.

all versions5 MEDIUM

ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks via unspecified vectors related to "formData=save" requests, a different version than CVE-2013-0731.

all versions5 MEDIUM

ajax.functions.php in the MailUp plugin before 1.3.3 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks by setting the wordpress_logged_in cookie. NOTE: this is due to an incomplete fix for a similar issue that was fixed in 1.3.2.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in cached_image.php in the Featurific For WordPress plugin 1.6.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the snum parameter. NOTE: this has been disputed by a third party.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in lazyest-backup.php in the Lazyest Backup plugin before 0.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xml_or_all parameter.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Classipress theme before 3.1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) twitter_id parameter related to the Twitter widget and (2) facebook_id parameter related to the Facebook widget.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in assets/player.swf in the Audio Player plugin before 2.0.4.6 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the playerID parameter.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Zingiri Web Shop plugin 2.4.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in zing.inc.php or (2) notes parameter in fws/pages-front/onecheckout.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in advancedtext.php in Advanced Text Widget plugin before 2.0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.

all versions5.8 MEDIUM

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter.

all versions10 HIGH

Unspecified vulnerability in the Connections plugin before 0.7.1.6 for WordPress has unknown impact and attack vectors.

all versions5 MEDIUM

wp-php-widget.php in the WP PHP widget plugin 1.0.2 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.

= 3.4.22.6 LOW

WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.

all versions7.5 HIGH

The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions5 MEDIUM

simple-gmail-login.php in the Simple Gmail Login plugin before 1.1.4 for WordPress allows remote attackers to obtain sensitive information via a request that lacks a timezone, leading to disclosure of the installation path in a stack trace.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter in a video-lead-form action to wp-admin/admin.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter to wp-login.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Uk Cookie (aka uk-cookie) plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in wordpress_sentinel.php in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to hijack the authentication of an administrator for requests that trigger snapshots.

all versions7.5 HIGH

SQL injection vulnerability in the Sentinel plugin 1.0.0 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

all versions7.5 HIGH

SQL injection vulnerability in ajax.php in SCORM Cloud For WordPress plugin before 1.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the active parameter. NOTE: some of these details are obtained from third party information.

all versions6.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences.

all versions3.5 LOW

Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387.

all versions6 MEDIUM

SQL injection vulnerability in the Pay With Tweet plugin before 1.2 for WordPress allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the id parameter in a paywithtweet shortcode.

all versions2.6 LOW

Multiple cross-site scripting (XSS) vulnerabilities in pay.php in the Pay With Tweet plugin before 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) title, or (3) dl parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-live.php in the WP Live.php module 1.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. NOTE: some of these details are obtained from third party information.

all versions2.1 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the scr_do_redirect function in scr.php in the Shortcode Redirect plugin 1.0.01 and earlier for WordPress allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (1) url or (2) sec attributes in a redirect tag.

all versions6.5 MEDIUM

Multiple SQL injection vulnerabilities in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33 for WordPress might allow remote authenticated users to execute arbitrary SQL commands via the (1) memberid or (2) groupid parameters in a removemember action or (3) id parameter to fs-admin/fs-admin.php, or (4) edit_forum_id parameter in an edit_save_forum action to fs-admin/wpf-edit-forum-group.php.

all versions6.5 MEDIUM

Multiple SQL injection vulnerabilities in fs-admin/fs-admin.php in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) delete_usrgrp[] parameter in a delete_usergroups action, (2) usergroup parameter in an add_user_togroup action, or (3) add_forum_group_id parameter in an add_forum_submit action.

all versions5 MEDIUM

Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php.

all versions7.5 HIGH

PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter.

all versions6.8 MEDIUM

Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1125.

all versions6.8 MEDIUM

Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin before 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the directory specified by the folder parameter.

all versions7.5 HIGH

SQL injection vulnerability in the WP e-Commerce plugin before 3.8.7.6 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in admin/OptionsPostsList.php in the TheCartPress plugin for WordPress before 1.1.6 before 2011-12-31 allows remote attackers to inject arbitrary web script or HTML via the tcp_name_post_XXXXX parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in css/gallery-css.php in the Slideshow Gallery2 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the border parameter.

= 3.4.26.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin before 1.4.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the domain parameter, a different vulnerability than CVE-2011-5193.

all versions2.6 LOW

Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5191.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5192.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in clickdesk.php in ClickDesk Live Support - Live Chat plugin 2.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cdwidgetid parameter. NOTE: some of these details are obtained from third party information.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wp-1pluginjquery.php in the ZooEffect plugin 1.01 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: some of these details are obtained from third party information. NOTE: this has been disputed by a third party.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in skysa-official/skysa.php in Skysa App Bar Integration plugin, possibly before 1.04, for WordPress allows remote attackers to inject arbitrary web script or HTML via the submit parameter.

= 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.2, = 2.1.3, = 2.8, = 2.0.1, = 2.2, = 2.0.7, = 1.2.1, = 1.2.5, = 1.2.4, = 3.0.1, = 3.0, = 2.8.4, = 2.1.2, = 1.1.1, = 1.3.2, = 2.0.4, = 2.7.1, = 2.0.6, = 2.1, = 2.5.1, = 2.0.10, = 2.6.2, = 2.3.3, = 2.0.5, = 2.9.1, = 2.5, = 2.8.2, = 1.5, <= 3.0.2, = 2.6.3, = 2.6.1, = 2.9.2, = 2.7, = 1.5.1.1, = 1.5.1.2, = 1.5.1.3, = 1.5.2, = 0.71, = 2.8.3, = 2.8.5.1, = 1.0.2, = 1.2, = 1.0, = 1.0.1, = 2.0.9, = 2.2.1, = 2.3.1, = 2.2.2, = 2.9, = 2.6.5, = 2.8.1, = 1.5.1, = 1.2.2, = 2.3, = 2.0.8, = 2.6, = 2.3.2, = 1.3, = 2.8.5, = 2.9.1.16.5 MEDIUM

The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.1.3, = 2.0.6, = 2.1, = 2.0.1, = 2.0.2, = 2.0.4, = 3.1.4, = 3.0, = 2.8.4, = 1.3.2, = 1.1.1, <= 3.4.1, = 2.2.3, = 2.2, = 1.2.1, = 1.2.4, = 3.0.2, = 3.2.1, = 2.5.1, = 2.2.1, = 2.3.1, = 2.2.2, = 2.6.5, = 2.8.3, = 2.8.1, = 2.8, = 2.0.9, = 2.0.5, = 2.7.1, = 1.0.1, = 3.1.3, = 3.1.2, = 3.0.1, = 2.6.3, = 2.6.1, = 2.1.2, = 2.7, = 2.9, = 1.5.1.1, = 1.5.1.2, = 1.5.2, = 0.71, = 3.3.3, = 3.3.2, = 3.1, = 3.2, = 2.6.2, = 2.3.3, = 2.0.7, = 1.0.2, = 1.2.5, = 3.0.4, = 2.3, = 2.0.8, = 2.0.10, = 2.8.5, = 2.9.1.1, = 2.8.5.1, = 1.2, = 1.0, = 3.1.1, = 2.6, = 2.9.2, = 1.5.1.3, = 1.5, = 1.3, = 3.3, = 3.3.1, = 1.5.1, = 1.2.2, = 3.0.3, = 3.0.6, = 2.3.2, = 2.9.1, = 2.5, = 2.8.23.5 LOW

wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 3.4.0, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, <= 3.4.1, = 3.1.4, = 2.8.4, = 2.0.1, = 2.0.2, = 1.1.1, = 2.2, = 2.0.6, = 2.1, = 1.2.4, = 3.2.1, = 3.0, = 2.1.3, = 1.2.1, = 3.0.2, = 2.2.3, = 2.0.4, = 1.3.2, = 3.2, = 2.8, = 2.1.2, = 2.7, = 2.8.3, = 1.5.1.1, = 1.2, = 1.0.1, = 3.1.2, = 3.1, = 3.0.1, = 2.0.9, = 2.2.1, = 2.3.3, = 2.0.5, = 2.0.7, = 2.8.1, = 1.2.5, = 3.3.3, = 3.3.2, = 2.5.1, = 2.6.2, = 2.3.1, = 2.2.2, = 2.9, = 2.6.5, = 0.71, = 3.1.3, = 3.0.4, = 2.6.3, = 2.6.1, = 2.7.1, = 1.5.1.2, = 1.5.2, = 1.0.2, = 3.3, = 3.0.6, = 2.3, = 2.8.5, = 1.5.1.3, = 1.3, = 3.0.3, = 2.8.5.1, = 3.3.1, = 2.6, = 2.9.1, = 2.5, = 1.5, = 1.5.1, = 1.2.2, = 3.1.1, = 2.0.8, = 2.3.2, = 2.0.10, = 2.9.2, = 2.9.1.1, = 2.8.2, = 1.04 MEDIUM

The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature.

all versions10 HIGH

Unspecified vulnerability in the Another WordPress Classifieds Plugin before 2.0 for WordPress has unknown impact and attack vectors related to "image uploads."

all versions7.5 HIGH

SQL injection vulnerability in wp-load.php in the BuddyPress plugin 1.5.x before 1.5.5 of WordPress allows remote attackers to execute arbitrary SQL commands via the page parameter in an activity_widget_filter action.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize plugin before 1.7.22 for WordPress allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, or (3) inc-options/im_export_options.php, or the (4) post or (5) post_ID parameters to adminimize.php, different vectors than CVE-2011-4926.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in wpsc-admin/display-sales-logs.php in WP e-Commerce plugin 3.8.7.1 and possibly earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the custom_text parameter. NOTE: some of these details are obtained from third party information.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in userperspan.php in the Count Per Day module before 3.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) datemin, or (3) datemax parameter.

all versions5 MEDIUM

The ShareYourCart plugin 1.7.1 for WordPress allows remote attackers to obtain the installation path via unspecified vectors related to the SDK.

all versions7.5 HIGH

Unspecified vulnerability in the Image News slider plugin before 3.3 for WordPress has unspecified impact and remote attack vectors.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Login With Ajax plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "processing of the buttons of Xing and Pinterest".

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wordpress-admin.php in the Bad Behavior plugin before 2.0.47 and 2.2.x before 2.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) httpbl_key, (3) httpbl_maxage, (4) httpbl_threat, (5) reverse_proxy_addresses, or (6) reverse_proxy_header parameter.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in bulletproof-security/admin/options.php in the BulletProof Security plugin before .47.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_ACCEPT_ENCODING header.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "server variables," a different vulnerability than CVE-2012-4263.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in inc/admin/content.php in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_USER_AGENT header.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in index.php in the WP-FaceThumb plugin 0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the pagination_wp_facethumb parameter.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 3.2, = 3.1.4, = 2.1.3, = 3.0, = 3.0.2, = 2.2, = 2.0.4, = 2.0.6, = 2.1, = 1.1.1, = 1.3.2, = 3.2.1, = 2.8, = 2.8.4, = 2.0.1, = 2.0.2, = 1.2.1, = 1.2.4, = 3.3.3, = 3.1, = 3.1.3, = 2.5.1, = 2.6.2, = 2.3.1, = 2.2.2, = 2.8.3, = 2.7.1, = 1.0.2, = 1.2, = 1.0.1, = 3.1.2, = 2.9, = 2.6.3, = 2.6.1, = 2.7, = 2.8.1, = 1.5.2, = 3.0.4, = 3.0.1, = 2.0.9, = 2.2.1, = 2.3.3, = 2.0.5, = 2.0.7, = 1.5.1.1, = 1.5.1.2, = 3.3.2, = 3.0.6, = 2.1.2, = 2.6.5, = 2.8.5.1, = 1.2.5, = 0.71, = 2.9.1.1, = 2.6, = 2.5, = 2.8.5, = 1.0, = 3.3, = 2.0.8, = 2.3.2, = 2.0.10, = 1.5.1, = 1.2.2, <= 3.4.0, = 3.0.3, = 2.8.2, = 1.5.1.3, = 1.3, = 3.1.1, = 2.9.2, = 2.9.1, = 2.3, = 1.55 MEDIUM

WordPress before 3.4.1 does not properly restrict access to post contents such as private or draft posts, which allows remote authors or contributors to obtain sensitive information via unknown vectors.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 3.0, = 2.1.3, = 2.0.1, = 2.0.2, = 3.2, = 2.0.4, = 2.0.6, = 1.1.1, = 2.8.4, = 2.1, = 1.2.1, = 1.3.2, = 3.2.1, = 3.1.4, = 3.0.2, = 2.8, = 2.2, = 1.2.4, = 3.3.3, = 3.3.2, = 3.0.1, = 3.1.3, = 3.1.2, = 3.0.6, = 2.2.2, = 2.8.5.1, = 2.8.1, = 1.0.1, = 1.2.5, = 3.1, = 2.5.1, = 2.0.9, = 2.2.1, = 2.6.1, = 2.3.1, = 2.7.1, = 1.5.1.1, = 1.2, = 2.9, = 2.3.3, = 2.6.3, = 2.1.2, = 2.7, = 1.5.2, = 0.71, = 3.0.4, = 2.6.2, = 2.0.5, = 2.0.7, = 2.6.5, = 2.8.3, = 1.5.1.2, = 1.0.2, <= 3.4.0, = 3.3, = 2.9.2, = 3.1.1, = 2.3, = 2.0.8, = 2.3.2, = 2.0.10, = 2.8.5, = 3.0.3, = 2.9.1.1, = 2.5, = 1.2.2, = 1.3, = 1.5.1.3, = 1.5, = 1.5.1, = 2.9.1, = 2.6, = 2.8.2, = 1.06.8 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

= 3.4.02.6 LOW

The map_meta_cap function in wp-includes/capabilities.php in WordPress 3.4.x before 3.4.2, when the multisite feature is enabled, does not properly assign the unfiltered_html capability, which allows remote authenticated users to bypass intended access restrictions and conduct cross-site scripting (XSS) attacks by leveraging the Administrator or Editor role and composing crafted text.

all versions10 HIGH

Multiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors.

all versions7.5 HIGH

Unrestricted file upload vulnerability in font-upload.php in the Font Uploader plugin 1.2.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a PHP file with a .php.ttf extension, then accessing it via a direct request to the file in font-uploader/fonts.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.1.3, = 2.8, = 2.1, = 2.1.2, = 1.2.1, = 3.0, = 2.0.2, = 2.0.7, = 2.8.4, = 3.0.1, = 3.0.2, = 2.0.1, = 1.2.4, = 1.1.1, = 2.2, = 2.0.4, = 2.0.6, = 1.3.2, = 2.7, = 2.2.2, = 2.9.2, = 2.9, = 2.9.1, = 1.2.2, = 1.0.2, = 1.2, = 2.0.9, = 2.3.1, = 2.0.5, = 2.8.3, = 2.8.1, = 2.6.5, = 2.7.1, = 2.8.5.1, = 1.5, = 1.0.1, = 1.2.5, = 0.71, = 3.0.6, = 2.0.10, = 2.5.1, = 2.3.3, = 1.5.1.1, = 1.5.1.2, <= 3.1, = 3.0.4, = 2.6.2, = 2.2.1, = 2.6.3, = 2.6.1, = 2.5, = 1.5.2, = 1.0, = 2.0.8, = 2.6, = 1.5.1.3, = 1.3, = 3.0.3, = 2.3.2, = 2.3, = 2.8.5, = 2.8.2, = 2.9.1.1, = 1.5.15 MEDIUM

The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 3.0.1, = 3.0.2, = 2.0.1, = 2.0.2, = 1.2.4, = 1.1.1, = 2.0.4, = 2.0.6, = 1.3.2, = 2.1.3, = 2.8, = 2.2, = 2.1, = 2.1.2, = 3.0, = 2.0.7, = 2.8.4, = 1.2.1, = 3.0.6, = 2.0.10, = 2.3.3, = 2.6.3, = 1.5.1.1, = 1.5.1.2, <= 3.1, = 3.0.4, = 2.6.2, = 2.2.1, = 2.6.1, = 2.2.2, = 2.5, = 1.5.2, = 2.7, = 2.9.2, = 2.9, = 2.9.1, = 2.6.5, = 1.2.2, = 1.0.2, = 1.2, = 1.0, = 2.0.9, = 2.3.1, = 2.0.5, = 2.8.3, = 2.8.1, = 2.5.1, = 2.7.1, = 2.8.5.1, = 1.5, = 1.0.1, = 1.2.5, = 0.71, = 2.3, = 1.5.1.3, = 1.3, = 2.3.2, = 2.8.5, = 2.8.2, = 2.9.1.1, = 1.5.1, = 2.0.8, = 3.0.3, = 2.64.3 MEDIUM

Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

all versions5 MEDIUM

Directory traversal vulnerability in preview.php in the Plugin Newsletter plugin 1.5 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the data parameter.

all versions6.8 MEDIUM

Unrestricted file upload vulnerability in html/Upload.php in the FCChat Widget plugin 2.2.13.1 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with a file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in html/images.

all versions7.5 HIGH

Unrestricted file upload vulnerability in doupload.php in the Nmedia Member Conversation plugin before 1.4 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in wp-content/uploads/user_uploads.

all versions10 HIGH

Unrestricted file upload vulnerability in php/upload.php in the wpStoreCart plugin before 2.5.30 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/wpstorecart.

all versions7.5 HIGH

Unrestricted file upload vulnerability in includes/doajaxfileupload.php in the MM Forms Community plugin 2.2.5 and 2.2.6 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/temp.

all versions10 HIGH

Unrestricted file upload vulnerability in uploader.php in the RBX Gallery plugin 2.1 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/rbxslider.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in login-with-ajax.php in the Login With Ajax (aka login-with-ajax) plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter in a lostpassword action to wp-login.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the userphoto_options_page function in user-photo.php in the User Photo plugin before 0.9.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in the Share and Follow plugin 1.80.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the CDN API Key (cnd-key) in a share-and-follow-menu page to wp-admin/admin.php.

all versions4.3 MEDIUM

Cross-site scripting (XSS) vulnerability in sabre_class_admin.php in the SABRE plugin before 2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the active_option parameter to wp-admin/tools.php.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the Leaflet plugin 0.0.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) leaflet_layer.php or (2) leaflet_marker.php, as reachable through wp-admin/admin.php.

all versions4.3 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in the LeagueManager plugin 3.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter in the show-league page or (2) season parameter in the team page to wp-admin/admin.php.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 3.1.4, = 2.8.4, = 2.0.7, = 2.1, = 1.2.1, = 1.3.2, = 3.0, = 3.2.1, = 2.8, = 2.2, = 2.0.6, = 1.1.1, = 3.0.2, = 2.0.1, = 2.1.3, = 2.0.2, = 2.0.4, = 1.2.4, = 3.0.1, = 3.2, = 2.3.1, = 2.7, = 2.9.2, = 2.2.2, = 1.5.2, = 3.1, = 2.0.9, = 2.6.3, = 2.2.1, = 2.0.5, = 2.6.1, = 1.5.1.1, = 1.0.1, = 1.5.1.2, <= 3.3.1, = 3.0.3, = 2.6.2, = 2.8.3, = 2.9, = 2.6.5, = 2.1.2, = 2.8.5.1, = 1.0.2, = 1.2.5, = 3.1.3, = 3.1.2, = 3.0.4, = 3.0.6, = 2.8.1, = 2.7.1, = 2.5.1, = 2.3.3, = 1.2, = 2.3.2, = 2.6, = 2.5, = 1.5.1, = 1.5.1.3, = 3.1.1, = 2.3, = 1.5, = 1.3, = 3.3, = 2.8.5, = 2.9.1, = 2.0.10, = 2.9.1.1, = 1.2.2, = 2.0.8, = 2.8.2, = 1.06.8 MEDIUM

The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.8, = 2.0.6, = 2.0.7, = 2.8.4, = 3.0, = 1.2.4, = 2.1.3, = 2.0.2, = 2.1.2, = 1.2.1, = 2.2, = 2.0.1, = 2.1, = 1.1.1, = 2.0.4, = 3.0.1, = 3.0.2, = 1.3.2, = 2.0.9, = 1.5.2, = 2.8.1, = 3.1, = 1.2, = 1.5.1.1, = 2.3.1, = 2.7, = 2.3.3, = 2.2.2, = 1.2.2, = 2.6.5, = 0.71, = 3.1.1, = 2.7.1, <= 3.3.1, = 2.2.1, = 2.5.1, = 3.0.6, = 2.6.1, = 2.9.2, = 1.0.1, = 3.1.3, = 3.0.4, = 2.8.5.1, = 2.6.2, = 1.5.1.2, = 2.0.5, = 2.8.3, = 2.6.3, = 1.0.2, = 2.9, = 2.5, = 1.2.5, = 3.1.2, = 2.3.2, = 2.8.5, = 1.5, = 2.9.1, = 2.0.10, = 2.3, = 2.6, = 1.3, = 3.3, = 2.8.2, = 1.5.1, = 1.0, = 2.0.8, = 1.5.1.3, = 3.0.3, = 2.9.1.14.3 MEDIUM

wp-comments-post.php in WordPress before 3.3.2 supports offsite redirects, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.2, = 2.0.4, = 3.0.1, = 1.3.2, = 2.2, = 2.0.1, = 2.0.7, = 2.1, = 2.8.4, = 1.2.4, = 2.8, = 2.0.6, = 3.0.2, = 3.0, = 2.1.3, = 2.1.2, = 1.2.1, = 1.1.1, = 2.6.2, = 1.5.1.2, = 2.8.3, = 2.2.2, = 1.0.2, = 2.9, = 2.5, = 2.7.1, = 3.1.2, <= 3.3.1, = 2.2.1, = 2.5.1, = 3.0.6, = 2.9.2, = 1.0.1, = 3.1.3, = 2.0.9, = 1.5.2, = 2.0.5, = 2.8.1, = 2.6.3, = 3.1, = 1.2, = 1.2.5, = 3.0.4, = 2.8.5.1, = 1.5.1.1, = 2.3.1, = 2.7, = 2.3.3, = 2.6.1, = 1.2.2, = 2.6.5, = 0.71, = 3.1.1, = 2.0.8, = 1.5.1.3, = 3.0.3, = 2.3.2, = 2.8.2, = 1.5, = 1.5.1, = 1.0, = 2.8.5, = 2.9.1, = 2.9.1.1, = 3.3, = 2.0.10, = 2.3, = 2.6, = 1.34.3 MEDIUM

wp-includes/formatting.php in WordPress before 3.3.2 attempts to enable clickable links inside attributes, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.0.2, = 2.0.4, = 3.0.1, = 2.1.3, = 2.1.2, = 1.2.1, = 1.1.1, = 2.8, = 2.0.6, = 3.0.2, = 3.0, = 1.3.2, = 2.2, = 2.0.1, = 2.0.7, = 2.1, = 2.8.4, = 1.2.4, = 2.6.2, = 2.3.1, = 1.5.1.2, = 2.7, = 2.3.3, = 2.2.2, = 1.2.2, = 1.0.2, = 2.5, = 2.7.1, = 2.2.1, = 1.5.1.1, = 2.5.1, = 2.6.1, = 1.0.1, = 2.6.5, = 0.71, = 3.1.1, = 1.5.2, = 2.0.5, = 2.8.3, = 2.6.3, = 3.1, = 2.9, = 1.2, = 1.2.5, = 3.0.4, = 3.1.2, <= 3.3.1, = 2.0.9, = 2.8.1, = 3.0.6, = 2.9.2, = 3.1.3, = 2.8.5.1, = 3.0.3, = 3.3, = 2.0.10, = 2.3, = 2.6, = 1.5.1, = 2.0.8, = 1.5.1.3, = 2.8.5, = 2.9.1.1, = 1.3, = 2.3.2, = 2.8.2, = 1.5, = 2.9.1, = 1.05.5 MEDIUM

wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.2, = 2.0.1, = 2.1, = 2.2.3, = 2.0.2, = 2.0.4, = 1.3.2, = 2.8.4, = 1.2.4, = 2.8, = 2.0.6, = 3.0.2, = 3.0, = 2.1.3, = 2.1.1, = 1.2.1, = 1.1.1, <= 3.3.1, = 2.0.9, = 2.0.7, = 2.8.1, = 2.6.2, = 2.3.1, = 1.5.1.2, = 2.7, = 2.3.3, = 2.2.2, = 3.0.1, = 1.0.2, = 0.71, = 2.7.1, = 3.1.2, = 3.1.3, = 1.5.2, = 2.0.5, = 2.8.3, = 2.6.3, = 3.1, = 2.9, = 1.2, = 1.2.5, = 3.0.4, = 2.2.1, = 1.5.1.1, = 2.1.2, = 2.5.1, = 2.6.1, = 1.0.1, = 2.6.5, = 2.3.2, = 2.8.2, = 3.0.3, = 1.2.2, = 1.3, = 3.0.6, = 1.5, = 2.9.2, = 2.9.1, = 1.0, = 2.8.5.1, = 2.0.8, = 1.5.1.3, = 2.8.5, = 2.5, = 2.9.1.1, = 3.3, = 2.0.10, = 2.3, = 2.6, = 1.5.1, = 3.1.15 MEDIUM

Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.1.3, = 2.0.1, = 2.1.2, = 1.2.1, = 1.1.1, = 2.0.2, = 2.2, = 2.0.6, = 2.0.7, = 2.1, = 2.8.4, = 1.2.4, = 1.3.2, = 2.8, = 2.0.4, = 3.0.1, = 3.0.2, = 3.0, <= 3.3.1, = 2.2.1, = 1.5.1.1, = 2.5.1, = 3.0.6, = 2.6.1, = 1.0.1, = 2.6.5, = 3.1.3, = 2.6.2, = 2.3.1, = 1.5.1.2, = 2.7, = 2.3.3, = 2.0.9, = 2.8.1, = 3.1, = 2.9.2, = 2.8.5.1, = 2.2.2, = 1.2.2, = 1.0.2, = 0.71, = 3.1.1, = 2.7.1, = 3.1.2, = 1.5.2, = 2.0.5, = 2.8.3, = 2.6.3, = 2.9, = 1.2, = 2.5, = 1.2.5, = 3.0.4, = 3.3, = 2.3, = 1.5.1, = 2.0.10, = 3.0.3, = 2.3.2, = 2.8.2, = 1.5, = 2.9.1, = 1.0, = 2.6, = 1.3, = 2.0.8, = 1.5.1.3, = 2.8.5, = 2.9.1.110 HIGH

Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors.

= 3.0.5, = 2.8.5.2, = 1.2.3, = 2.0.11, = 1.3.3, = 2.8.6, = 2.0, = 2.1.1, = 2.2.3, = 2.8, = 2.0.6, = 2.0.7, = 2.8.4, = 3.0, = 1.2.4, = 2.0.4, = 3.0.1, = 3.0.2, = 2.2, = 2.0.1, = 2.1, = 1.1.1, = 1.3.2, = 2.1.3, = 2.0.2, = 2.1.2, = 1.2.1, = 2.0.9, = 2.8.1, = 3.1, = 1.2, = 3.0.4, = 2.8.5.1, = 2.6.2, = 1.5.2, = 2.0.5, = 2.8.3, = 2.6.3, = 1.0.2, = 2.9, = 2.5, = 1.2.5, = 3.1.2, <= 3.3.1, = 2.2.1, = 2.5.1, = 3.0.6, = 2.6.1, = 2.9.2, = 1.0.1, = 2.6.5, = 3.1.3, = 1.5.1.1, = 2.3.1, = 1.5.1.2, = 2.7, = 2.3.3, = 2.2.2, = 1.2.2, = 0.71, = 3.1.1, = 2.7.1, = 2.3.2, = 2.8.5, = 1.5, = 2.9.1, = 1.0, = 2.0.8, = 1.5.1.3, = 3.0.3, = 3.3, = 2.8.2, = 2.3, = 1.5.1, = 2.9.1.1, = 2.0.10, = 2.6, = 1.310 HIGH

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFupload 2.2.0.1 and earlier, as used in WordPress before 3.5.2, TinyMCE Image Manager 1.1 and earlier, and other products allows remote attackers to inject arbitrary web script or HTML via the buttonText parameter, a different vulnerability than CVE-2012-3414.