WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 896
GHSA-ccmp-622j-3xf7
Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.
GHSA-hmqr-j9c3-8h75
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.
GHSA-6f4p-6vw9-3q54
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
GHSA-8c9g-j366-5fcx
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
GHSA-8chx-6qqw-75xx
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
GHSA-74wg-f546-8h73
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
GHSA-5qr2-x7m5-m83q
Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.
GHSA-5q84-77v2-m356
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.
GHSA-j242-vw64-5qc4
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.
GHSA-668g-gr9x-p9m2
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-ccmp-622j-3xf7 Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. | CVSS3: 6.1 | 9% Низкий | больше 3 лет назад |
| GHSA-hmqr-j9c3-8h75 In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. | CVSS3: 8.6 | 1% Низкий | больше 3 лет назад |
| GHSA-6f4p-6vw9-3q54 In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. | CVSS3: 7.5 | 4% Низкий | больше 3 лет назад |
| GHSA-8c9g-j366-5fcx In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. | CVSS3: 6.1 | 1% Низкий | больше 3 лет назад |
| GHSA-8chx-6qqw-75xx In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. | CVSS3: 6.1 | 3% Низкий | больше 3 лет назад |
| GHSA-74wg-f546-8h73 In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. | CVSS3: 8.8 | 1% Низкий | больше 3 лет назад |
| GHSA-5qr2-x7m5-m83q Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. | CVSS3: 6.1 | 2% Низкий | больше 3 лет назад |
| GHSA-5q84-77v2-m356 In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation. | CVSS3: 6.1 | 6% Низкий | больше 3 лет назад |
| GHSA-j242-vw64-5qc4 In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names. | CVSS3: 6.1 | 9% Низкий | больше 3 лет назад |
| GHSA-668g-gr9x-p9m2 In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds. | CVSS3: 5.4 | 6% Низкий | больше 3 лет назад |
Уязвимостей на страницу