Wordpress: >> Wordpress Security Vulnerabilities
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
CVSS Score
9.8
EPSS Score
0.015
Published
2021-04-28
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.
CVSS Score
6.5
EPSS Score
0.016
Published
2021-04-15
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
CVSS Score
7.1
EPSS Score
0.892
Published
2021-04-15
WordPress before 5.5.2 allows stored XSS via post slugs.
CVSS Score
6.1
EPSS Score
0.103
Published
2020-11-02
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected.
CVSS Score
9.1
EPSS Score
0.06
Published
2020-11-02
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
CVSS Score
4.3
EPSS Score
0.003
Published
2020-11-02
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
CVSS Score
9.8
EPSS Score
0.39
Published
2020-11-02
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
CVSS Score
7.5
EPSS Score
0.007
Published
2020-11-02
WordPress before 5.5.2 allows XSS associated with global variables.
CVSS Score
6.1
EPSS Score
0.016
Published
2020-11-02
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
CVSS Score
9.8
EPSS Score
0.044
Published
2020-11-02