Shodan
Vulnerabilities
Vulnerable Software
Wordpress:  >> Wordpress  >> 4.7.21  Security Vulnerabilities
CVE-2019-17671
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
CVSS Score
5.3
EPSS Score
0.729
Published
2019-10-17
CVE-2019-16221
WordPress before 5.2.3 allows reflected XSS in the dashboard.
CVSS Score
6.1
EPSS Score
0.011
Published
2019-09-11
CVE-2019-16222
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
CVSS Score
6.1
EPSS Score
0.016
Published
2019-09-11
CVE-2019-16223
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
CVSS Score
5.4
EPSS Score
0.038
Published
2019-09-11
CVE-2019-16217
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
CVSS Score
6.1
EPSS Score
0.019
Published
2019-09-11
CVE-2019-16218
WordPress before 5.2.3 allows XSS in stored comments.
CVSS Score
6.1
EPSS Score
0.011
Published
2019-09-11
CVE-2019-16219
WordPress before 5.2.3 allows XSS in shortcode previews.
CVSS Score
6.1
EPSS Score
0.022
Published
2019-09-11
CVE-2019-16220
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
CVSS Score
6.1
EPSS Score
0.005
Published
2019-09-11
CVE-2019-9787
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
CVSS Score
8.8
EPSS Score
0.857
Published
2019-03-14
CVE-2019-8942
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943.
CVSS Score
8.8
EPSS Score
0.915
Published
2019-02-20


Products
Pricing
Contact Us

Shodan ® - All rights reserved