Wordpress: Security Vulnerabilities
WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.
CVSS Score
9.8
EPSS Score
0.048
Published
2019-10-17
In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled.
CVSS Score
5.3
EPSS Score
0.729
Published
2019-10-17
WordPress before 5.2.3 allows reflected XSS in the dashboard.
CVSS Score
6.1
EPSS Score
0.011
Published
2019-09-11
WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
CVSS Score
6.1
EPSS Score
0.016
Published
2019-09-11
WordPress before 5.2.3 allows XSS in post previews by authenticated users.
CVSS Score
5.4
EPSS Score
0.038
Published
2019-09-11
WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
CVSS Score
6.1
EPSS Score
0.019
Published
2019-09-11
WordPress before 5.2.3 allows XSS in stored comments.
CVSS Score
6.1
EPSS Score
0.011
Published
2019-09-11
WordPress before 5.2.3 allows XSS in shortcode previews.
CVSS Score
6.1
EPSS Score
0.022
Published
2019-09-11
In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.
CVSS Score
6.1
EPSS Score
0.005
Published
2019-09-11
WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.
CVSS Score
5.3
EPSS Score
0.009
Published
2019-05-22