Export limit exceeded: 11789 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11789 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-43497 | 1 Wordpress | 1 Wordpress | 2025-04-24 | 6.1 Medium |
| Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. | ||||
| CVE-2022-21664 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2025-04-23 | 7.4 High |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. | ||||
| CVE-2022-21662 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-23 | 8 High |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. | ||||
| CVE-2023-5561 | 1 Wordpress | 1 Wordpress | 2025-04-23 | 5.3 Medium |
| WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack | ||||
| CVE-2022-21663 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2025-04-22 | 6.6 Medium |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. | ||||
| CVE-2022-3590 | 1 Wordpress | 1 Wordpress | 2025-04-21 | 5.9 Medium |
| WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden. | ||||
| CVE-2017-14719 | 1 Wordpress | 1 Wordpress | 2025-04-20 | N/A |
| Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. | ||||
| CVE-2017-14720 | 1 Wordpress | 1 Wordpress | 2025-04-20 | N/A |
| Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. | ||||
| CVE-2017-14721 | 1 Wordpress | 1 Wordpress | 2025-04-20 | N/A |
| Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. | ||||
| CVE-2017-14722 | 1 Wordpress | 1 Wordpress | 2025-04-20 | N/A |
| Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. | ||||
| CVE-2017-14723 | 1 Wordpress | 1 Wordpress | 2025-04-20 | N/A |
| Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. | ||||
| CVE-2017-9066 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | N/A |
| In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. | ||||
| CVE-2017-9065 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | N/A |
| In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. | ||||
| CVE-2017-9064 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | N/A |
| In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. | ||||
| CVE-2017-9063 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | N/A |
| In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability related to the Customizer exists, involving an invalid customization session. | ||||
| CVE-2017-9062 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | N/A |
| In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. | ||||
| CVE-2017-9061 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | N/A |
| In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. | ||||
| CVE-2017-5612 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt. | ||||
| CVE-2017-5611 | 3 Debian, Oracle, Wordpress | 3 Debian Linux, Data Integrator, Wordpress | 2025-04-20 | 9.8 Critical |
| SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name. | ||||
| CVE-2017-5610 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2025-04-20 | N/A |
| wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms. | ||||