RSS   Vulnerabilities for 'Wordpress'   RSS

2019-09-11
 
CVE-2019-16223

CWE-79
 

 
WordPress before 5.2.3 allows XSS in post previews by authenticated users.

 
 
CVE-2019-16222

CWE-79
 

 
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

 
 
CVE-2019-16221

CWE-79
 

 
WordPress before 5.2.3 allows reflected XSS in the dashboard.

 
 
CVE-2019-16220

CWE-601
 

 
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.

 
 
CVE-2019-16219

CWE-79
 

 
WordPress before 5.2.3 allows XSS in shortcode previews.

 
 
CVE-2019-16218

CWE-79
 

 
WordPress before 5.2.3 allows XSS in stored comments.

 
 
CVE-2019-16217

CWE-79
 

 
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

 
2019-05-22
 
CVE-2017-6514

CWE-200
 

 
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.

 
2019-03-14
 
CVE-2019-9787

CWE-352
 

 
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

 
2019-02-19
 
CVE-2019-8943

CWE-22
 

 
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

 


Copyright 2019, cxsecurity.com

 

Back to Top