WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role.

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public.

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript: substring.

WordPress before 5.3.1 allowed an attacker to create a cross-site scripting attack (XSS) in well crafted links, because of an insufficient protection mechanism in wp_targeted_link_rel in wp-includes/formatting.php.

WordPress before 5.3.1 allowed an unauthenticated user to make a post sticky through the REST API because of missing access control in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php.

WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.

WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements.

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters.

In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.

WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF.