📦

wordpress

Vendor: wordpress

Login to add this product to WatchStack
Actively Exploited 1 CISA KEV List
PoC / Exploits 169 Code Available
Total RCEs 43 Remote Access
Total CVEs 2778 Total Indexed
Avg. EPSS 7.11% Exploit Prob.
Latest CVE CVE-2022-4973 Oct 16

Security Vulnerability Index

Page 7 / 278
5.4 CVSS
CVE-2019-16223
Exploit Found

WordPress before 5.2.3 allows XSS in post previews by authenticated users.

EPSS: 4.34%
6.1 CVSS
CVE-2019-16222

WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.

EPSS: 2.38%
6.1 CVSS
CVE-2019-16221

WordPress before 5.2.3 allows reflected XSS in the dashboard.

EPSS: 2.45%
6.1 CVSS
CVE-2019-16220

In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect if a provided URL path does not start with a forward slash.

EPSS: 0.82%
6.1 CVSS
CVE-2019-16219

WordPress before 5.2.3 allows XSS in shortcode previews.

EPSS: 4.68%
6.1 CVSS
CVE-2019-16218

WordPress before 5.2.3 allows XSS in stored comments.

EPSS: 2.45%
6.1 CVSS
CVE-2019-16217

WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.

EPSS: 2.58%
5.3 CVSS
CVE-2017-6514

WordPress 4.7.2 mishandles listings of post authors, which allows remote attackers to obtain sensitive information (Path Disclosure) via a /wp-json/oembed/1.0/embed?url= request, related to the "author_name":" substring.

EPSS: 1.37%
8.8 CVSS
CVE-2019-9787
RCE Exploit Found

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

EPSS: 81.02%
6.5 CVSS
CVE-2019-8943
Exploit Found

WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

EPSS: 93.73%