wordpress

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Blog tool and publishing platform
Version 4.9.6-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-202 4.7.2-1 4.7.3-1 Medium Fixed
AVG-142 4.7-1 4.7.1-1 High Fixed FS#52555
AVG-39 4.6.0-1 4.6.1-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2017-6819 AVG-202 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability exists on the Press This page of WordPress. This issue can be used to create a Denial of Service (DoS)...
CVE-2017-6818 AVG-202 Medium Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 (wp-admin/js/tags-box.js) via taxonomy term names.
CVE-2017-6817 AVG-202 Medium Yes Cross-site scripting
An authenticated cross-site scripting (XSS) vulnerability has been discovered in in WordPress before 4.7.3 (wp-includes/embed.php) via YouTube URL Embeds.
CVE-2017-6816 AVG-202 Medium Yes Insufficient validation
It has been discovered that unintended files can be deleted by administrators in WordPress before 4.7.3 (wp-admin/plugins.php) using the plugin deletion...
CVE-2017-6815 AVG-202 Medium Yes Insufficient validation
A vulnerability has been discovered in WordPress before 4.7.3 (wp- includes/pluggable.php) that certain control characters can trick redirect URL validation.
CVE-2017-6814 AVG-202 Medium Yes Cross-site scripting
An authenticated cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 via Media File Metadata. This is demonstrated by...
CVE-2017-5493 AVG-142 Low Yes Insufficient validation
An insufficient validation vulnerability has been discovered in wordpress leading to weak cryptographic security for multisite activation key.
CVE-2017-5492 AVG-142 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability has been discovered in wordpress in the accessibility mode of widget editing.
CVE-2017-5491 AVG-142 Low Yes Access restriction bypass
A vulnerability has been discovered in wordpress allowing to post via email as it checks for mail.example.com if default settings aren't changed.
CVE-2017-5490 AVG-142 High Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in wordpress via theme name fallback.
CVE-2017-5489 AVG-142 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) bypass has been discovered in wordpress via uploading a Flash file.
CVE-2017-5488 AVG-142 High Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in wordpress via the plugin name or version header on update-core.php.
CVE-2017-5487 AVG-142 Medium Yes Access restriction bypass
A vulnerability has been discovered in wordpress exposing user data for all users who had authored a post of a public post type via the REST API. wordpress...
CVE-2016-7169 AVG-39 High Yes Directory traversal
A path traversal vulnerability has been discovered in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
CVE-2016-7168 AVG-39 Medium Yes Cross-site scripting
A cross-site scripting vulnerability has been discovered via a malicious image filename, reported by SumOfPwn researcher Cengiz Han Sahin. A WordPress admin...
CVE-2016-10045 AVG-142 High Yes Arbitrary code execution
It has been discovered that the first patch of the vulnerability CVE-2016-10033 in PHPMailer was incomplete and could potentially still be used by...
CVE-2016-10033 AVG-142 High Yes Arbitrary code execution
A vulnerability has been discovered in PHPMailer that could potentially be used by unauthenticated remote attackers to achieve remote arbitrary code...

Advisories

Date Advisory Group Severity Description
16 Mar 2017 ASA-201703-14 AVG-202 Medium multiple issues
15 Jan 2017 ASA-201701-22 AVG-142 High multiple issues
30 Sep 2016 ASA-201609-32 AVG-39 High multiple issues