WordPress — свободно распространяемая система управления содержимым сайта с открытым исходным кодом.

Релизный цикл, информация об уязвимостях

Продукт: WordPress

Вендор: Wordpress

График релизов

Недавние уязвимости WordPress

Количество 1 894

CVE-2016-10148

больше 8 лет назад

The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.p ...

CVSS3: 4.3

EPSS: Низкий

CVE-2016-10148

больше 8 лет назад

The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.

CVSS3: 4.3

EPSS: Низкий

CVE-2016-6897

больше 8 лет назад

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.

CVSS3: 6.5

EPSS: Средний

CVE-2016-6896

больше 8 лет назад

Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

CVSS3: 7.1

EPSS: Средний

CVE-2017-5493

больше 8 лет назад

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

CVSS3: 7.5

EPSS: Низкий

CVE-2017-5493

больше 8 лет назад

wp-includes/ms-functions.php in the Multisite WordPress API in WordPre ...

CVSS3: 7.5

EPSS: Низкий

CVE-2017-5492

больше 8 лет назад

Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.

CVSS3: 8.8

EPSS: Низкий

CVE-2017-5492

больше 8 лет назад

Cross-site request forgery (CSRF) vulnerability in the widget-editing ...

CVSS3: 8.8

EPSS: Низкий

CVE-2017-5491

больше 8 лет назад

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

CVSS3: 5.3

EPSS: Низкий

CVE-2017-5491

больше 8 лет назад

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to ...

CVSS3: 5.3

EPSS: Низкий

Уязвимостей на страницу

Уязвимость	CVSS	EPSS	Опубликовано 1
CVE-2016-10148 The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.p ...	CVSS3: 4.3	0% Низкий	больше 8 лет назад
CVE-2016-10148 The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.	CVSS3: 4.3	0% Низкий	больше 8 лет назад
CVE-2016-6897 Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.	CVSS3: 6.5	29% Средний	больше 8 лет назад
CVE-2016-6896 Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.	CVSS3: 7.1	24% Средний	больше 8 лет назад
CVE-2017-5493 wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.	CVSS3: 7.5	2% Низкий	больше 8 лет назад
CVE-2017-5493 wp-includes/ms-functions.php in the Multisite WordPress API in WordPre ...	CVSS3: 7.5	2% Низкий	больше 8 лет назад
CVE-2017-5492 Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.	CVSS3: 8.8	1% Низкий	больше 8 лет назад
CVE-2017-5492 Cross-site request forgery (CSRF) vulnerability in the widget-editing ...	CVSS3: 8.8	1% Низкий	больше 8 лет назад
CVE-2017-5491 wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.	CVSS3: 5.3	2% Низкий	больше 8 лет назад
CVE-2017-5491 wp-mail.php in WordPress before 4.7.1 might allow remote attackers to ...	CVSS3: 5.3	2% Низкий	больше 8 лет назад

Уязвимостей на страницу