WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.

Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7.

WordPress before 5.2.3 allows reflected XSS in the dashboard.

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

WordPress before 5.2.3 allows XSS in shortcode previews.

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.

WordPress before 5.2.3 allows XSS in stored comments.

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.