Wordpress: >> Wordpress >> 3.0.3 Security Vulnerabilities
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
CVSS Score
9.8
EPSS Score
0.104
Published
2017-09-23
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
CVSS Score
6.1
EPSS Score
0.077
Published
2017-09-23
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.
CVSS Score
5.4
EPSS Score
0.024
Published
2017-09-23
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
CVSS Score
6.1
EPSS Score
0.046
Published
2017-09-23
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
CVSS Score
6.1
EPSS Score
0.033
Published
2017-05-18
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
CVSS Score
8.6
EPSS Score
0.017
Published
2017-05-18
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
CVSS Score
6.1
EPSS Score
0.014
Published
2017-05-18
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
CVSS Score
8.8
EPSS Score
0.013
Published
2017-05-18
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
CVSS Score
7.5
EPSS Score
0.035
Published
2017-05-18
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.
CVSS Score
8.6
EPSS Score
0.014
Published
2017-05-18