Wordpress: >> Wordpress >> 3.7.12 Security Vulnerabilities
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
CVSS Score
7.5
EPSS Score
0.507
Published
2017-09-23
Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name.
CVSS Score
6.1
EPSS Score
0.026
Published
2017-09-23
Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name.
CVSS Score
6.1
EPSS Score
0.026
Published
2017-09-23
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
CVSS Score
9.8
EPSS Score
0.132
Published
2017-09-23
Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery.
CVSS Score
6.1
EPSS Score
0.077
Published
2017-09-23
Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php.
CVSS Score
5.4
EPSS Score
0.042
Published
2017-09-23
Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor.
CVSS Score
6.1
EPSS Score
0.074
Published
2017-09-23
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename.
CVSS Score
6.1
EPSS Score
0.015
Published
2017-05-18
In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
CVSS Score
8.6
EPSS Score
0.015
Published
2017-05-18
In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session.
CVSS Score
6.1
EPSS Score
0.015
Published
2017-05-18