Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-6896 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. | ||||
| CVE-2016-6634 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2016-6635 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. | ||||
| CVE-2016-5838 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. | ||||
| CVE-2016-5835 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. | ||||
| CVE-2016-5837 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. | ||||
| CVE-2016-5832 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors. | ||||
| CVE-2016-5836 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. | ||||
| CVE-2016-5834 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. | ||||
| CVE-2016-5839 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. | ||||
| CVE-2016-5833 | 1 Wordpress | 1 Wordpress | 2024-08-06 | N/A |
| Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834. | ||||
| CVE-2016-4567 | 2 Mediaelementjs, Wordpress | 2 Mediaelement.js, Wordpress | 2024-08-06 | N/A |
| Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." | ||||
| CVE-2016-4566 | 2 Plupload, Wordpress | 2 Plupload, Wordpress | 2024-08-06 | N/A |
| Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. | ||||
| CVE-2016-4029 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-08-06 | 8.6 High |
| WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address. | ||||
| CVE-2016-2222 | 1 Wordpress | 1 Wordpress | 2024-08-05 | N/A |
| The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php. | ||||
| CVE-2016-2221 | 1 Wordpress | 1 Wordpress | 2024-08-05 | N/A |
| Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL. | ||||
| CVE-2016-1564 | 1 Wordpress | 1 Wordpress | 2024-08-05 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. | ||||
| CVE-2017-1001000 | 1 Wordpress | 1 Wordpress | 2024-08-05 | N/A |
| The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI. | ||||
| CVE-2017-1000600 | 1 Wordpress | 1 Wordpress | 2024-08-05 | N/A |
| WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this has not been confirmed at this time. This issue appears to have been partially, but not completely fixed in WordPress 4.9 | ||||
| CVE-2017-17094 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-08-05 | N/A |
| wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. | ||||