Shodan
Vulnerabilities
Vulnerable Software
Wordpress:  >> Wordpress  >> 3.7  Security Vulnerabilities
CVE-2021-44223
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
CVSS Score
8.1
EPSS Score
0.387
Published
2021-11-25
CVE-2020-36326
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
CVSS Score
9.8
EPSS Score
0.011
Published
2021-04-28
CVE-2020-28038
WordPress before 5.5.2 allows stored XSS via post slugs.
CVSS Score
6.1
EPSS Score
0.16
Published
2020-11-02
CVE-2020-28039
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
CVSS Score
9.1
EPSS Score
0.06
Published
2020-11-02
CVE-2020-28040
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
CVSS Score
4.3
EPSS Score
0.003
Published
2020-11-02
CVE-2020-28032
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
CVSS Score
9.8
EPSS Score
0.207
Published
2020-11-02
CVE-2020-28033
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
CVSS Score
7.5
EPSS Score
0.013
Published
2020-11-02
CVE-2020-28034
WordPress before 5.5.2 allows XSS associated with global variables.
CVSS Score
6.1
EPSS Score
0.027
Published
2020-11-02
CVE-2020-28035
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
CVSS Score
9.8
EPSS Score
0.049
Published
2020-11-02
CVE-2020-28036
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
CVSS Score
9.8
EPSS Score
0.048
Published
2020-11-02


Products
Pricing
Contact Us

Shodan ® - All rights reserved