WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 906
GHSA-gmjx-3rgm-r63g
WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement).
GHSA-4cxp-jjp3-3qpw
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
GHSA-r95h-g3m2-8rgx
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.
GHSA-pv54-xqw9-86jh
Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.
GHSA-ch98-pvvc-v52h
Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.
GHSA-279h-9ccj-88q7
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.
GHSA-p8q3-wf3c-v265
Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php.
GHSA-mmvc-933r-7cp3
Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.
GHSA-w5j7-j9wm-9x8q
Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter.
GHSA-c5xx-92gp-xmp6
Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-gmjx-3rgm-r63g WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). | CVSS3: 6.1 | 3% Низкий | больше 3 лет назад |
| GHSA-4cxp-jjp3-3qpw WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. | CVSS3: 9.8 | 4% Низкий | больше 3 лет назад |
| GHSA-r95h-g3m2-8rgx WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | CVSS3: 8.1 | 2% Низкий | больше 3 лет назад |
| GHSA-pv54-xqw9-86jh Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. | CVSS3: 6.1 | 5% Низкий | больше 3 лет назад |
| GHSA-ch98-pvvc-v52h Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. | CVSS3: 6.1 | 7% Низкий | больше 3 лет назад |
| GHSA-279h-9ccj-88q7 The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. | CVSS3: 7.5 | 7% Низкий | больше 3 лет назад |
| GHSA-p8q3-wf3c-v265 Multiple SQL injection vulnerabilities in VastHTML Forum Server (aka ForumPress) plugin 1.6.1 and 1.6.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) search_max parameter in a search action to index.php, which is not properly handled by wpf.class.php, (2) id parameter in an editpost action to index.php, which is not properly handled by wpf-post.php, or (3) topic parameter to feed.php. | 2% Низкий | больше 3 лет назад | |
| GHSA-mmvc-933r-7cp3 Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. | 8% Низкий | больше 3 лет назад | |
| GHSA-w5j7-j9wm-9x8q Cross-site scripting (XSS) vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. | 3% Низкий | больше 3 лет назад | |
| GHSA-c5xx-92gp-xmp6 Cross-site scripting (XSS) vulnerability in post_alert.php in Alert Before Your Post plugin, possibly 0.1.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the name parameter. | 2% Низкий | больше 3 лет назад |
Уязвимостей на страницу