WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 896
GHSA-gmjx-3rgm-r63g
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
GHSA-4cxp-jjp3-3qpw
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
GHSA-r95h-g3m2-8rgx
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
GHSA-pv54-xqw9-86jh
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
GHSA-ch98-pvvc-v52h
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
GHSA-279h-9ccj-88q7
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.
GHSA-p8q3-wf3c-v265
Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php.
GHSA-c5xx-92gp-xmp6
Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.
GHSA-mmvc-933r-7cp3
Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
GHSA-w5j7-j9wm-9x8q
Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-gmjx-3rgm-r63g WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). | CVSS3: 6.1 | 3% Низкий | больше 3 лет назад |
| GHSA-4cxp-jjp3-3qpw WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. | CVSS3: 9.8 | 4% Низкий | больше 3 лет назад |
| GHSA-r95h-g3m2-8rgx WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | CVSS3: 8.1 | 2% Низкий | больше 3 лет назад |
| GHSA-pv54-xqw9-86jh Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | CVSS3: 6.1 | 7% Низкий | больше 3 лет назад |
| GHSA-ch98-pvvc-v52h Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. | CVSS3: 6.1 | 7% Низкий | больше 3 лет назад |
| GHSA-279h-9ccj-88q7 The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. | CVSS3: 7.5 | 7% Низкий | больше 3 лет назад |
| GHSA-p8q3-wf3c-v265 Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php. | 2% Низкий | больше 3 лет назад | |
| GHSA-c5xx-92gp-xmp6 Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter. | 2% Низкий | больше 3 лет назад | |
| GHSA-mmvc-933r-7cp3 Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. | 8% Низкий | больше 3 лет назад | |
| GHSA-w5j7-j9wm-9x8q Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. | 3% Низкий | больше 3 лет назад |
Уязвимостей на страницу