Логотип exploitDog
product: "wordpress"
Консоль
Логотип exploitDog

exploitDog

product: "wordpress"

Количество 1 894

Количество 1 894

github логотип

GHSA-cv8p-7fxf-fmqr

около 3 лет назад

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.

EPSS: Низкий
github логотип

GHSA-crmp-658v-vhrp

больше 3 лет назад

PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable.

EPSS: Низкий
github логотип

GHSA-chfm-w5r6-r24m

около 3 лет назад

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

CVSS3: 7.5
EPSS: Низкий
github логотип

GHSA-ch98-pvvc-v52h

около 3 лет назад

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

CVSS3: 6.1
EPSS: Низкий
github логотип

GHSA-cg2j-v6g7-3q66

около 3 лет назад

Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php.

EPSS: Низкий
github логотип

GHSA-ccmp-622j-3xf7

около 3 лет назад

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

CVSS3: 6.1
EPSS: Низкий
github логотип

GHSA-cc7r-mf7w-vgrj

больше 3 лет назад

Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post.

EPSS: Низкий
github логотип

GHSA-c3x3-frh6-qx5w

около 3 лет назад

Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.

CVSS3: 7.5
EPSS: Средний
github логотип

GHSA-c2wg-9wh8-qj37

около 3 лет назад

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440.

CVSS3: 6.1
EPSS: Низкий
github логотип

GHSA-9xr7-2f3f-frc6

около 3 лет назад

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

CVSS3: 8.8
EPSS: Низкий
github логотип

GHSA-9xf3-qrpw-5fjc

больше 3 лет назад

WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data.

EPSS: Низкий
github логотип

GHSA-9wxp-5v2c-r6xv

больше 3 лет назад

wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter.

EPSS: Низкий
github логотип

GHSA-9vwr-ww7h-qvv8

около 3 лет назад

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

CVSS3: 9.8
EPSS: Низкий
github логотип

GHSA-9q3x-8xjm-8642

больше 3 лет назад

Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.

EPSS: Низкий
github логотип

GHSA-9mm4-3grj-7cx7

больше 3 лет назад

WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6) wp-admin/edit-form-comment.php, which leaks the path in an error message related to undefined functions or failed includes. NOTE: the wp-admin/menu-header.php vector is already covered by CVE-2005-2110. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors were also reported to affect WordPress 2.0.1.

EPSS: Низкий
github логотип

GHSA-9575-g3v2-v59w

около 3 лет назад

Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.

CVSS3: 6.1
EPSS: Низкий
github логотип

GHSA-955q-3rq6-3m73

больше 3 лет назад

Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters.

EPSS: Низкий
github логотип

GHSA-94q7-f538-38mf

около 3 лет назад

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

CVSS3: 5.3
EPSS: Критический
github логотип

GHSA-94pj-jgcq-pjjg

около 3 лет назад

WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

CVSS3: 4.7
EPSS: Низкий
github логотип

GHSA-94cf-q7rf-65xg

около 3 лет назад

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

CVSS3: 9.8
EPSS: Низкий

Уязвимостей на страницу

Уязвимость
CVSS
EPSS
Опубликовано
github логотип
GHSA-cv8p-7fxf-fmqr

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.

1%
Низкий
около 3 лет назад
github логотип
GHSA-crmp-658v-vhrp

PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable.

1%
Низкий
больше 3 лет назад
github логотип
GHSA-chfm-w5r6-r24m

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

CVSS3: 7.5
1%
Низкий
около 3 лет назад
github логотип
GHSA-ch98-pvvc-v52h

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

CVSS3: 6.1
5%
Низкий
около 3 лет назад
github логотип
GHSA-cg2j-v6g7-3q66

Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php.

1%
Низкий
около 3 лет назад
github логотип
GHSA-ccmp-622j-3xf7

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

CVSS3: 6.1
7%
Низкий
около 3 лет назад
github логотип
GHSA-cc7r-mf7w-vgrj

Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post.

1%
Низкий
больше 3 лет назад
github логотип
GHSA-c3x3-frh6-qx5w

Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.

CVSS3: 7.5
28%
Средний
около 3 лет назад
github логотип
GHSA-c2wg-9wh8-qj37

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440.

CVSS3: 6.1
1%
Низкий
около 3 лет назад
github логотип
GHSA-9xr7-2f3f-frc6

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

CVSS3: 8.8
5%
Низкий
около 3 лет назад
github логотип
GHSA-9xf3-qrpw-5fjc

WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data.

5%
Низкий
больше 3 лет назад
github логотип
GHSA-9wxp-5v2c-r6xv

wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter.

1%
Низкий
больше 3 лет назад
github логотип
GHSA-9vwr-ww7h-qvv8

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

CVSS3: 9.8
5%
Низкий
около 3 лет назад
github логотип
GHSA-9q3x-8xjm-8642

Cross-site scripting (XSS) vulnerability in the administrator interface in WordPress before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via a comment author URL.

2%
Низкий
больше 3 лет назад
github логотип
GHSA-9mm4-3grj-7cx7

WordPress before 1.5.2 allows remote attackers to obtain sensitive information via a direct request to (1) wp-includes/vars.php, (2) wp-content/plugins/hello.php, (3) wp-admin/upgrade-functions.php, (4) wp-admin/edit-form.php, (5) wp-settings.php, and (6) wp-admin/edit-form-comment.php, which leaks the path in an error message related to undefined functions or failed includes. NOTE: the wp-admin/menu-header.php vector is already covered by CVE-2005-2110. NOTE: the vars.php, edit-form.php, wp-settings.php, and edit-form-comment.php vectors were also reported to affect WordPress 2.0.1.

2%
Низкий
больше 3 лет назад
github логотип
GHSA-9575-g3v2-v59w

Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.

CVSS3: 6.1
1%
Низкий
около 3 лет назад
github логотип
GHSA-955q-3rq6-3m73

Multiple cross-site scripting (XSS) vulnerabilities in the "post comment" functionality of WordPress 2.0.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) website, and (3) comment parameters.

1%
Низкий
больше 3 лет назад
github логотип
GHSA-94q7-f538-38mf

wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in the REST API implementation in WordPress 4.7 before 4.7.1 does not properly restrict listings of post authors, which allows remote attackers to obtain sensitive information via a wp-json/wp/v2/users request.

CVSS3: 5.3
92%
Критический
около 3 лет назад
github логотип
GHSA-94pj-jgcq-pjjg

WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

CVSS3: 4.7
1%
Низкий
около 3 лет назад
github логотип
GHSA-94cf-q7rf-65xg

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

CVSS3: 9.8
4%
Низкий
около 3 лет назад

Уязвимостей на страницу