Wordpress: >> Wordpress >> 2.6.3 Security Vulnerabilities
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
CVSS Score
9.8
EPSS Score
0.132
Published
2017-09-23
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
CVSS Score
6.1
EPSS Score
0.077
Published
2017-09-23
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.
CVSS Score
5.4
EPSS Score
0.042
Published
2017-09-23
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
CVSS Score
6.1
EPSS Score
0.074
Published
2017-09-23
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
CVSS Score
6.1
EPSS Score
0.015
Published
2017-05-18
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
CVSS Score
8.6
EPSS Score
0.015
Published
2017-05-18
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
CVSS Score
6.1
EPSS Score
0.015
Published
2017-05-18
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
CVSS Score
8.8
EPSS Score
0.01
Published
2017-05-18
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
CVSS Score
7.5
EPSS Score
0.032
Published
2017-05-18
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.
CVSS Score
8.6
EPSS Score
0.013
Published
2017-05-18