wordpress

In WordPress before version 5.8.1, output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can...

One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor...

A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XML external entity injection...

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key...

WordPress before 5.5.2 allows stored XSS via post slugs.

is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an...

wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

WordPress before 5.5.2 allows attackers to gain privileges via XML- RPC.

WordPress before 5.5.2 allows XSS associated with global variables.

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

WordPress before 5.5.2 mishandles deserialization requests in wp- includes/Requests/Utility/FilteredIterator.php.

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an...

WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string,...

A cross-site request forgery (CSRF) vulnerability exists on the Press This page of WordPress. This issue can be used to create a Denial of Service (DoS)...

A cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 (wp-admin/js/tags-box.js) via taxonomy term names.

An authenticated cross-site scripting (XSS) vulnerability has been discovered in in WordPress before 4.7.3 (wp-includes/embed.php) via YouTube URL Embeds.

It has been discovered that unintended files can be deleted by administrators in WordPress before 4.7.3 (wp-admin/plugins.php) using the plugin deletion...

A vulnerability has been discovered in WordPress before 4.7.3 (wp- includes/pluggable.php) that certain control characters can trick redirect URL validation.

An authenticated cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 via Media File Metadata. This is demonstrated by...

An insufficient validation vulnerability has been discovered in wordpress leading to weak cryptographic security for multisite activation key.

A cross-site request forgery (CSRF) vulnerability has been discovered in wordpress in the accessibility mode of widget editing.

A vulnerability has been discovered in wordpress allowing to post via email as it checks for mail.example.com if default settings aren't changed.

A cross-site scripting (XSS) vulnerability has been discovered in wordpress via theme name fallback.

A cross-site request forgery (CSRF) bypass has been discovered in wordpress via uploading a Flash file.

A cross-site scripting (XSS) vulnerability has been discovered in wordpress via the plugin name or version header on update-core.php.

A vulnerability has been discovered in wordpress exposing user data for all users who had authored a post of a public post type via the REST API. wordpress...

It has been discovered that the first patch of the vulnerability CVE-2016-10033 in PHPMailer was incomplete and could potentially still be used by...

A vulnerability has been discovered in PHPMailer that could potentially be used by unauthenticated remote attackers to achieve remote arbitrary code...

A path traversal vulnerability has been discovered in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

A cross-site scripting vulnerability has been discovered via a malicious image filename, reported by SumOfPwn researcher Cengiz Han Sahin. A WordPress admin...