WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 906
GHSA-ggx6-6gcf-4769
Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5192.
GHSA-rgfj-6p67-wm4x
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.
GHSA-vr83-qghg-2w85
Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php.
GHSA-g56r-2vjm-9c6p
Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1125.
GHSA-pqvq-cgx4-49hv
PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter.
GHSA-ph82-8frw-6xc7
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194.
GHSA-xhmg-vv82-6q8v
The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors.
GHSA-c49p-mmwq-r586
simple-gmail-login.php in the Simple Gmail Login plugin before 1.1.4 for WordPress allows remote attackers to obtain sensitive information via a request that lacks a timezone, leading to disclosure of the installation path in a stack trace.
GHSA-87p7-g773-mghv
Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
GHSA-5c7w-fxfm-7857
Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter in a video-lead-form action to wp-admin/admin.php.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-ggx6-6gcf-4769 Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5192. | 0% Низкий | больше 3 лет назад | |
| GHSA-rgfj-6p67-wm4x Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. | 0% Низкий | больше 3 лет назад | |
| GHSA-vr83-qghg-2w85 Multiple directory traversal vulnerabilities in the BackWPup plugin before 1.4.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the wpabs parameter to (1) app/options-view_log-iframe.php or (2) app/options-runnow-iframe.php. | 1% Низкий | больше 3 лет назад | |
| GHSA-g56r-2vjm-9c6p Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1125. | 11% Средний | больше 3 лет назад | |
| GHSA-pqvq-cgx4-49hv PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter. | 4% Низкий | больше 3 лет назад | |
| GHSA-ph82-8frw-6xc7 Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194. | 1% Низкий | больше 3 лет назад | |
| GHSA-xhmg-vv82-6q8v The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-c49p-mmwq-r586 simple-gmail-login.php in the Simple Gmail Login plugin before 1.1.4 for WordPress allows remote attackers to obtain sensitive information via a request that lacks a timezone, leading to disclosure of the installation path in a stack trace. | 7% Низкий | больше 3 лет назад | |
| GHSA-87p7-g773-mghv Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 0% Низкий | больше 3 лет назад | |
| GHSA-5c7w-fxfm-7857 Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter in a video-lead-form action to wp-admin/admin.php. | 1% Низкий | больше 3 лет назад |
Уязвимостей на страницу