RSS   Podatności dla 'Wordpress'   RSS

2021-04-15
 
CVE-2021-29450

CWE-200
 

 
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

 
 
CVE-2021-29447

CWE-611
 

 
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.

 
2020-11-02
 
CVE-2020-28040

CWE-352
 

 
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.

 
 
CVE-2020-28039

NVD-CWE-noinfo
 

 
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.

 
 
CVE-2020-28038

CWE-79
 

 
WordPress before 5.5.2 allows stored XSS via post slugs.

 
 
CVE-2020-28037

CWE-20
 

 
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).

 
 
CVE-2020-28036

CWE-269
 

 
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.

 
 
CVE-2020-28035

CWE-269
 

 
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.

 
 
CVE-2020-28034

CWE-79
 

 
WordPress before 5.5.2 allows XSS associated with global variables.

 
 
CVE-2020-28033

NVD-CWE-noinfo
 

 
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.

 


Copyright 2021, cxsecurity.com

 

Back to Top