Wordpress: >> Wordpress >> 3.7.14 Security Vulnerabilities
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
CVSS Score
7.5
EPSS Score
0.478
Published
2017-09-23
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
CVSS Score
6.1
EPSS Score
0.02
Published
2017-09-23
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
CVSS Score
6.1
EPSS Score
0.02
Published
2017-09-23
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
CVSS Score
9.8
EPSS Score
0.091
Published
2017-09-23
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
CVSS Score
6.1
EPSS Score
0.044
Published
2017-09-23
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.
CVSS Score
5.4
EPSS Score
0.045
Published
2017-09-23
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
CVSS Score
6.1
EPSS Score
0.05
Published
2017-09-23
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
CVSS Score
6.1
EPSS Score
0.018
Published
2017-05-18
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
CVSS Score
8.6
EPSS Score
0.008
Published
2017-05-18
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
CVSS Score
6.1
EPSS Score
0.009
Published
2017-05-18