Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:wordpress:wordpress:5.0.9:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2019-17675 |
WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to CSRF. Published: October 17, 2019; 9:15:11 AM -0400 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2019-17674 |
WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripting) via the Customizer. Published: October 17, 2019; 9:15:11 AM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2019-17673 |
WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header. Published: October 17, 2019; 9:15:11 AM -0400 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2019-17672 |
WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. Published: October 17, 2019; 9:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-17671 |
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. Published: October 17, 2019; 9:15:10 AM -0400 |
V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2019-17670 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. Published: October 17, 2019; 9:15:10 AM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-17669 |
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because URL validation does not consider the interpretation of a name as a series of hex characters. Published: October 17, 2019; 9:15:10 AM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-16223 |
WordPress before 5.2.3 allows XSS in post previews by authenticated users. Published: September 11, 2019; 10:15:12 AM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2019-16222 |
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. Published: September 11, 2019; 10:15:12 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-16221 |
WordPress before 5.2.3 allows reflected XSS in the dashboard. Published: September 11, 2019; 10:15:12 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-16220 |
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect. Published: September 11, 2019; 10:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2019-16219 |
WordPress before 5.2.3 allows XSS in shortcode previews. Published: September 11, 2019; 10:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-16218 |
WordPress before 5.2.3 allows XSS in stored comments. Published: September 11, 2019; 10:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-16217 |
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. Published: September 11, 2019; 10:15:11 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-9787 |
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php. Published: March 14, 2019; 12:29:00 PM -0400 |
V3.0: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2018-19296 |
PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. Published: November 16, 2018; 4:29:00 AM -0500 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2013-5918 |
Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. Published: September 23, 2013; 6:18:59 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-2759 |
Cross-site scripting (XSS) vulnerability in login-with-ajax.php in the Login With Ajax (aka login-with-ajax) plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter in a lostpassword action to wp-login.php. Published: May 22, 2012; 12:55:01 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-2920 |
Cross-site scripting (XSS) vulnerability in the userphoto_options_page function in user-photo.php in the User Photo plugin before 0.9.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information. Published: May 21, 2012; 6:55:01 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2012-2917 |
Cross-site scripting (XSS) vulnerability in the Share and Follow plugin 1.80.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the CDN API Key (cnd-key) in a share-and-follow-menu page to wp-admin/admin.php. Published: May 21, 2012; 2:55:07 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |