wordpress

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Blog tool and publishing platform
Version 5.8.3-1 [community]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2373 5.8-1 5.8.1-1 Medium Fixed
AVG-1831 5.7-1 5.7.1-1 Medium Fixed
AVG-1257 5.5.1-1 5.5.3-1 Critical Fixed
AVG-910 5.0.0-1 5.0.1-1 Critical Fixed
AVG-909 5.0.3-1 5.1-1 High Fixed
AVG-202 4.7.2-1 4.7.3-1 Medium Fixed
AVG-142 4.7-1 4.7.1-1 High Fixed FS#52555
AVG-39 4.6.0-1 4.6.1-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2021-39200 AVG-2373 Medium Yes Information disclosure
In WordPress before version 5.8.1, output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can...
CVE-2021-29450 AVG-1831 Medium Yes Information disclosure
One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor...
CVE-2021-29447 AVG-1831 Medium Yes Xml external entity injection
A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XML external entity injection...
CVE-2020-28040 AVG-1257 High Yes Cross-site request forgery
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
CVE-2020-28039 AVG-1257 High Yes Insufficient validation
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key...
CVE-2020-28038 AVG-1257 High Yes Cross-site scripting
WordPress before 5.5.2 allows stored XSS via post slugs.
CVE-2020-28037 AVG-1257 Critical Yes Arbitrary code execution
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an...
CVE-2020-28036 AVG-1257 High Yes Privilege escalation
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
CVE-2020-28035 AVG-1257 High Yes Privilege escalation
WordPress before 5.5.2 allows attackers to gain privileges via XML- RPC.
CVE-2020-28034 AVG-1257 High Yes Cross-site scripting
WordPress before 5.5.2 allows XSS associated with global variables.
CVE-2020-28033 AVG-1257 Medium Yes Insufficient validation
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
CVE-2020-28032 AVG-1257 High Yes Arbitrary code execution
WordPress before 5.5.2 mishandles deserialization requests in wp- includes/Requests/Utility/FilteredIterator.php.
CVE-2019-8943 AVG-909 High Yes Directory traversal
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an...
CVE-2019-8942 AVG-910 Critical Yes Arbitrary code execution
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string,...
CVE-2017-6819 AVG-202 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability exists on the Press This page of WordPress. This issue can be used to create a Denial of Service (DoS)...
CVE-2017-6818 AVG-202 Medium Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 (wp-admin/js/tags-box.js) via taxonomy term names.
CVE-2017-6817 AVG-202 Medium Yes Cross-site scripting
An authenticated cross-site scripting (XSS) vulnerability has been discovered in in WordPress before 4.7.3 (wp-includes/embed.php) via YouTube URL Embeds.
CVE-2017-6816 AVG-202 Medium Yes Insufficient validation
It has been discovered that unintended files can be deleted by administrators in WordPress before 4.7.3 (wp-admin/plugins.php) using the plugin deletion...
CVE-2017-6815 AVG-202 Medium Yes Insufficient validation
A vulnerability has been discovered in WordPress before 4.7.3 (wp- includes/pluggable.php) that certain control characters can trick redirect URL validation.
CVE-2017-6814 AVG-202 Medium Yes Cross-site scripting
An authenticated cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 via Media File Metadata. This is demonstrated by...
CVE-2017-5493 AVG-142 Low Yes Insufficient validation
An insufficient validation vulnerability has been discovered in wordpress leading to weak cryptographic security for multisite activation key.
CVE-2017-5492 AVG-142 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) vulnerability has been discovered in wordpress in the accessibility mode of widget editing.
CVE-2017-5491 AVG-142 Low Yes Access restriction bypass
A vulnerability has been discovered in wordpress allowing to post via email as it checks for mail.example.com if default settings aren't changed.
CVE-2017-5490 AVG-142 High Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in wordpress via theme name fallback.
CVE-2017-5489 AVG-142 Medium Yes Cross-site request forgery
A cross-site request forgery (CSRF) bypass has been discovered in wordpress via uploading a Flash file.
CVE-2017-5488 AVG-142 High Yes Cross-site scripting
A cross-site scripting (XSS) vulnerability has been discovered in wordpress via the plugin name or version header on update-core.php.
CVE-2017-5487 AVG-142 Medium Yes Access restriction bypass
A vulnerability has been discovered in wordpress exposing user data for all users who had authored a post of a public post type via the REST API. wordpress...
CVE-2016-10045 AVG-142 High Yes Arbitrary code execution
It has been discovered that the first patch of the vulnerability CVE-2016-10033 in PHPMailer was incomplete and could potentially still be used by...
CVE-2016-10033 AVG-142 High Yes Arbitrary code execution
A vulnerability has been discovered in PHPMailer that could potentially be used by unauthenticated remote attackers to achieve remote arbitrary code...
CVE-2016-7169 AVG-39 High Yes Directory traversal
A path traversal vulnerability has been discovered in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
CVE-2016-7168 AVG-39 Medium Yes Cross-site scripting
A cross-site scripting vulnerability has been discovered via a malicious image filename, reported by SumOfPwn researcher Cengiz Han Sahin. A WordPress admin...

Advisories

Date Advisory Group Severity Type
03 Nov 2020 ASA-202011-3 AVG-1257 Critical multiple issues
18 Mar 2019 ASA-201903-10 AVG-909 High directory traversal
16 Mar 2017 ASA-201703-14 AVG-202 Medium multiple issues
15 Jan 2017 ASA-201701-22 AVG-142 High multiple issues
30 Sep 2016 ASA-201609-32 AVG-39 High multiple issues