WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 894
CVE-2022-43497
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7.
GHSA-3mv4-59rc-qvqm
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
GHSA-8fxj-85rv-jj93
WordPress before 5.2.3 allows reflected XSS in the dashboard.
GHSA-j28g-8c73-vhw9
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
GHSA-f824-fhqw-5fwj
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.
GHSA-3rc6-mcgh-8jqq
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
GHSA-v5hr-6h2c-gx45
WordPress before 5.2.3 allows XSS in stored comments.
GHSA-hqq8-34fg-q5jj
WordPress before 5.2.3 allows XSS in shortcode previews.
GHSA-m8cv-g4gv-cx2g
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
GHSA-65h5-8qpr-9m3v
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2022-43497 Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. | CVSS3: 6.1 | 1% Низкий | почти 3 года назад |
| GHSA-3mv4-59rc-qvqm WordPress before 5.2.3 allows XSS in post previews by authenticated users. | CVSS3: 5.4 | 4% Низкий | больше 3 лет назад |
| GHSA-8fxj-85rv-jj93 WordPress before 5.2.3 allows reflected XSS in the dashboard. | CVSS3: 6.1 | 1% Низкий | больше 3 лет назад |
| GHSA-j28g-8c73-vhw9 WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. | CVSS3: 6.1 | 2% Низкий | больше 3 лет назад |
| GHSA-f824-fhqw-5fwj In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. | CVSS3: 6.1 | 1% Низкий | больше 3 лет назад |
| GHSA-3rc6-mcgh-8jqq WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. | CVSS3: 6.1 | 2% Низкий | больше 3 лет назад |
| GHSA-v5hr-6h2c-gx45 WordPress before 5.2.3 allows XSS in stored comments. | CVSS3: 6.1 | 1% Низкий | больше 3 лет назад |
| GHSA-hqq8-34fg-q5jj WordPress before 5.2.3 allows XSS in shortcode previews. | CVSS3: 6.1 | 2% Низкий | больше 3 лет назад |
| GHSA-m8cv-g4gv-cx2g WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory. | 24% Средний | больше 3 лет назад | |
| GHSA-65h5-8qpr-9m3v is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. | CVSS3: 9.1 | 6% Низкий | больше 3 лет назад |
Уязвимостей на страницу