wordpress

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Blog tool and publishing platform
Version 5.2.1-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-910 5.0.0-1 5.0.1-1 Critical Fixed
AVG-909 5.0.3-1 5.1-1 High Fixed
AVG-202 4.7.2-1 4.7.3-1 Medium Fixed
AVG-142 4.7-1 4.7.1-1 High Fixed FS#52555
AVG-39 4.6.0-1 4.6.1-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2019-8943 AVG-909 High Yes Directory traversal
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an...
CVE-2019-8942 AVG-910 Critical Yes Arbitrary code execution
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string,...
CVE-2017-6819 AVG-202 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability exists on the Press This page of WordPress. This issue can be used to create a Denial of Service (DoS)...
CVE-2017-6818 AVG-202 Medium Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 (wp-admin/js/tags-box.js) via taxonomy term names.
CVE-2017-6817 AVG-202 Medium Yes Cross-site scripting
An authenticated cross-site scripting (XSS) vulnerability has been discovered in in WordPress before 4.7.3 (wp-includes/embed.php) via YouTube URL Embeds.
CVE-2017-6816 AVG-202 Medium Yes Insufficient validation
It has been discovered that unintended files can be deleted by administrators in WordPress before 4.7.3 (wp-admin/plugins.php) using the plugin deletion...
CVE-2017-6815 AVG-202 Medium Yes Insufficient validation
A vulnerability has been discovered in WordPress before 4.7.3 (wp- includes/pluggable.php) that certain control characters can trick redirect URL validation.
CVE-2017-6814 AVG-202 Medium Yes Cross-site scripting
An authenticated cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 via Media File Metadata. This is demonstrated by...
CVE-2017-5493 AVG-142 Low Yes Insufficient validation
An insufficient validation vulnerability has been discovered in wordpress leading to weak cryptographic security for multisite activation key.
CVE-2017-5492 AVG-142 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability has been discovered in wordpress in the accessibility mode of widget editing.
CVE-2017-5491 AVG-142 Low Yes Access restriction bypass
A vulnerability has been discovered in wordpress allowing to post via email as it checks for mail.example.com if default settings aren't changed.
CVE-2017-5490 AVG-142 High Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in wordpress via theme name fallback.
CVE-2017-5489 AVG-142 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) bypass has been discovered in wordpress via uploading a Flash file.
CVE-2017-5488 AVG-142 High Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in wordpress via the plugin name or version header on update-core.php.
CVE-2017-5487 AVG-142 Medium Yes Access restriction bypass
A vulnerability has been discovered in wordpress exposing user data for all users who had authored a post of a public post type via the REST API. wordpress...
CVE-2016-10045 AVG-142 High Yes Arbitrary code execution
It has been discovered that the first patch of the vulnerability CVE-2016-10033 in PHPMailer was incomplete and could potentially still be used by...
CVE-2016-10033 AVG-142 High Yes Arbitrary code execution
A vulnerability has been discovered in PHPMailer that could potentially be used by unauthenticated remote attackers to achieve remote arbitrary code...
CVE-2016-7169 AVG-39 High Yes Directory traversal
A path traversal vulnerability has been discovered in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
CVE-2016-7168 AVG-39 Medium Yes Cross-site scripting
A cross-site scripting vulnerability has been discovered via a malicious image filename, reported by SumOfPwn researcher Cengiz Han Sahin. A WordPress admin...

Advisories

Date Advisory Group Severity Description
18 Mar 2019 ASA-201903-10 AVG-909 High directory traversal
16 Mar 2017 ASA-201703-14 AVG-202 Medium multiple issues
15 Jan 2017 ASA-201701-22 AVG-142 High multiple issues
30 Sep 2016 ASA-201609-32 AVG-39 High multiple issues