WordPress 4.7 Vulnerabilities

Version released on 2016-12-06

Download tar
Download zip
Published
Title
Fixed in
CVSS
Published
2024-01-30
Title
WordPress < 6.4.3 - Deserialization of Untrusted Data
Fixed in
Fixed in 4.7.28
CVSS
8.5 (high)
Published
2024-01-30
Title
WordPress < 6.4.3 - Admin+ PHP File Upload
Fixed in
Fixed in 4.7.28
CVSS
6.6 (medium)
Published
2023-10-12
Title
WP < 6.3.2 - Denial of Service via Cache Poisoning
Fixed in
Fixed in 4.7.27
CVSS
5.3 (medium)
Published
2023-10-12
Title
WP < 6.3.2 - Subscriber+ Arbitrary Shortcode Execution
Fixed in
Fixed in 4.7.27
CVSS
4.3 (medium)
Published
2023-10-12
Title
WP < 6.3.2 - Contributor+ Comment Disclosure
Fixed in
Fixed in 4.7.27
CVSS
2.7 (low)
Published
2023-10-12
Title
WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
Fixed in
Fixed in 4.7.27
CVSS
5.3 (medium)
Published
2023-05-16
Title
WP < 6.2.1 - Directory Traversal via Translation Files
Fixed in
Fixed in 4.7.26
CVSS
4.8 (medium)
Published
2023-05-16
Title
WP < 6.2.1 - Thumbnail Image Update via CSRF
Fixed in
Fixed in 4.7.26
CVSS
4.3 (medium)
Published
2023-05-16
Title
WP < 6.2.2 - Shortcode Execution in User Generated Data
Fixed in
Fixed in 4.7.26
CVSS
6.5 (medium)
Published
2023-05-16
Title
WP < 6.2.1 - Contributor+ Stored XSS via Open Embed Auto Discovery
Fixed in
Fixed in 4.7.26
CVSS
6.8 (medium)
Published
2023-05-16
Title
WP < 6.2.1 - Contributor+ Content Injection
Fixed in
Fixed in 4.7.26
CVSS
5.5 (medium)
Published
2022-12-13
Title
WP <= 6.2 - Unauthenticated Blind SSRF via DNS Rebinding
Fixed in
No known fix
CVSS
5.4 (medium)
Published
2022-10-17
Title
WP < 6.0.3 - Stored XSS via wp-mail.php
Fixed in
Fixed in 4.7.25
CVSS
4.8 (medium)
Published
2022-10-17
Title
WP < 6.0.3 - Open Redirect via wp_nonce_ays
Fixed in
Fixed in 4.7.25
CVSS
4.3 (medium)
Published
2022-10-17
Title
WP < 6.0.3 - Email Address Disclosure via wp-mail.php
Fixed in
Fixed in 4.7.25
CVSS
3.1 (low)
Published
2022-10-17
Title
WP < 6.0.3 - Reflected XSS via SQLi in Media Library
Fixed in
Fixed in 4.7.25
CVSS
4.7 (medium)
Published
2022-10-17
Title
WP < 6.0.3 - CSRF in wp-trackback.php
Fixed in
Fixed in 4.7.25
CVSS
3.1 (low)
Published
2022-10-17
Title
WP < 6.0.3 - Stored XSS via the Customizer
Fixed in
Fixed in 4.7.25
CVSS
3.4 (low)
Published
2022-10-17
Title
WP < 6.0.3 - Stored XSS via Comment Editing
Fixed in
Fixed in 4.7.25
CVSS
4.4 (medium)
Published
2022-10-17
Title
WP < 6.0.3 - Content from Multipart Emails Leaked
Fixed in
Fixed in 4.7.25
CVSS
3.7 (low)
Published
2022-10-17
Title
WP < 6.0.3 - SQLi in WP_Date_Query
Fixed in
Fixed in 4.7.25
CVSS
4.0 (medium)
Published
2022-10-17
Title
WP < 6.0.3 - Stored XSS via RSS Widget
Fixed in
Fixed in 4.7.25
CVSS
3.0 (low)
Published
2022-10-17
Title
WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint
Fixed in
Fixed in 4.7.25
CVSS
4.3 (medium)
Published
2022-10-17
Title
WP < 6.0.3 - Multiple Stored XSS via Gutenberg
Fixed in
Fixed in 4.7.25
CVSS
3.4 (low)
Published
2022-08-30
Title
WP < 6.0.2 - Reflected Cross-Site Scripting
Fixed in
Fixed in 4.7.24
CVSS
4.7 (medium)
Published
2022-08-30
Title
WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
Fixed in
Fixed in 4.7.24
CVSS
2.6 (low)
Published
2022-08-30
Title
WP < 6.0.2 - SQLi via Link API
Fixed in
Fixed in 4.7.24
CVSS
5.8 (medium)
Published
2022-03-11
Title
WordPress < 5.9.2 - Prototype Pollution in jQuery
Fixed in
Fixed in 4.7.23
CVSS
5.6 (medium)
Published
2022-01-06
Title
WordPress < 5.8.3 - SQL Injection via WP_Query
Fixed in
Fixed in 4.7.22
CVSS
8.6 (high)
Published
2022-01-06
Title
WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
Fixed in
Fixed in 4.7.22
CVSS
5.4 (medium)
Published
2022-01-06
Title
WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
Fixed in
Fixed in 4.7.22
CVSS
6.8 (medium)
Published
2022-01-06
Title
WordPress < 5.8.3 - Super Admin Object Injection in Multisites
Fixed in
Fixed in 4.7.22
CVSS
3.3 (low)
Published
2021-11-25
Title
WordPress < 5.8 - Plugin Confusion
Fixed in
Fixed in 5.8
CVSS
8.2 (high)
Published
2021-05-13
Title
WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
Fixed in
Fixed in 4.7.21
CVSS
6.6 (medium)
Published
2021-04-15
Title
WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
Fixed in
Fixed in 4.7.20
CVSS
4.3 (medium)
Published
2020-06-11
Title
WordPress < 5.4.2 - Authenticated XSS via Media Files
Fixed in
Fixed in 4.7.18
CVSS
6.3 (medium)
Published
2020-06-11
Title
WordPress < 5.4.2 - Open Redirection
Fixed in
Fixed in 4.7.18
CVSS
3.5 (low)
Published
2020-06-11
Title
WordPress < 5.4.2 - Authenticated Stored XSS via Theme Upload
Fixed in
Fixed in 4.7.18
CVSS
3.8 (low)
Published
2020-06-11
Title
WordPress < 5.4.2 - Misuse of set-screen-option Leading to Privilege Escalation
Fixed in
Fixed in 4.7.18
CVSS
6.5 (medium)
Published
2020-06-11
Title
WordPress < 5.4.2 - Disclosure of Password-Protected Page/Post Comments
Fixed in
Fixed in 4.7.18
CVSS
4.3 (medium)
Published
2020-04-29
Title
WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
Fixed in
Fixed in 4.7.17
CVSS
3.1 (low)
Published
2020-04-29
Title
WordPress < 5.4.1 - Unauthenticated Users View Private Posts
Fixed in
Fixed in 4.7.17
CVSS
3.7 (low)
Published
2020-04-29
Title
WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
Fixed in
Fixed in 4.7.17
CVSS
3.7 (low)
Published
2020-04-29
Title
WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
Fixed in
Fixed in 4.7.17
CVSS
4.2 (medium)
Published
2020-04-29
Title
WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
Fixed in
Fixed in 4.7.17
CVSS
4.6 (medium)
Published
2020-01-21
Title
WordPress <= 5.2.3 - Hardening Bypass
Fixed in
Fixed in 4.7.15
CVSS
3.1 (low)
Published
2019-12-13
Title
WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
Fixed in
Fixed in 4.7.16
CVSS
0.0 (none)
Published
2019-12-13
Title
WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
Fixed in
Fixed in 4.7.16
CVSS
3.8 (low)
Published
2019-12-13
Title
WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
Fixed in
Fixed in 4.7.16
CVSS
4.6 (medium)
Published
2019-12-13
Title
WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
Fixed in
Fixed in 4.7.16
CVSS
9.8 (critical)
Published
2019-10-14
Title
WordPress <= 5.2.3 - Stored XSS in Customizer
Fixed in
Fixed in 4.7.15
CVSS
5.4 (medium)
Published
2019-10-14
Title
WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
Fixed in
Fixed in 4.7.15
CVSS
5.3 (medium)
Published
2019-10-14
Title
WordPress <= 5.2.3 - Stored XSS in Style Tags
Fixed in
Fixed in 4.7.15
CVSS
6.1 (medium)
Published
2019-10-14
Title
WordPress <= 5.2.3 - JSON Request Cache Poisoning
Fixed in
Fixed in 4.7.15
CVSS
7.5 (high)
Published
2019-10-14
Title
WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
Fixed in
Fixed in 4.7.15
CVSS
9.8 (critical)
Published
2019-10-14
Title
WordPress <= 5.2.3 - Admin Referrer Validation
Fixed in
Fixed in 4.7.15
CVSS
8.8 (high)
Published
2019-09-05
Title
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
Fixed in
Fixed in 4.7.14
CVSS
6.1 (medium)
Published
2019-03-13
Title
WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
Fixed in
Fixed in 4.7.13
CVSS
8.8 (high)
Published
2019-02-19
Title
WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
Fixed in
Fixed in 5.0.1
CVSS
8.8 (high)
Published
2018-12-13
Title
WordPress <= 5.0 - Authenticated File Delete
Fixed in
Fixed in 4.7.12
CVSS
6.5 (medium)
Published
2018-12-13
Title
WordPress <= 5.0 - Authenticated Post Type Bypass
Fixed in
Fixed in 4.7.12
CVSS
6.5 (medium)
Published
2018-12-13
Title
WordPress <= 5.0 - PHP Object Injection via Meta Data
Fixed in
Fixed in 4.7.12
CVSS
9.8 (critical)
Published
2018-12-13
Title
WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
Fixed in
Fixed in 4.7.12
CVSS
5.4 (medium)
Published
2018-12-13
Title
WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
Fixed in
Fixed in 4.7.12
CVSS
6.1 (medium)
Published
2018-12-13
Title
WordPress <= 5.0 - User Activation Screen Search Engine Indexing
Fixed in
Fixed in 4.7.12
CVSS
7.5 (high)
Published
2018-12-13
Title
WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
Fixed in
Fixed in 4.7.12
CVSS
5.4 (medium)
Published
2018-06-27
Title
WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
Fixed in
Fixed in 4.7.11
CVSS
7.2 (high)
Published
2018-04-03
Title
WordPress 3.7-4.9.4 - Remove localhost Default
Fixed in
Fixed in 4.7.10
CVSS
6.1 (medium)
Published
2018-04-03
Title
WordPress 3.7-4.9.4 - Use Safe Redirect for Login
Fixed in
Fixed in 4.7.10
CVSS
6.1 (medium)
Published
2018-04-03
Title
WordPress 3.7-4.9.4 - Escape Version in Generator Tag
Fixed in
Fixed in 4.7.10
CVSS
6.1 (medium)
Published
2018-02-05
Title
WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
Fixed in
No known fix
CVSS
7.5 (high)
Published
2018-01-17
Title
WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
Fixed in
Fixed in 4.7.9
CVSS
6.1 (medium)
Published
2017-11-29
Title
WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
Fixed in
Fixed in 4.7.8
CVSS
5.4 (medium)
Published
2017-11-29
Title
WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
Fixed in
Fixed in 4.7.8
CVSS
5.4 (medium)
Published
2017-11-29
Title
WordPress 4.3.0-4.9 - HTML Language Attribute Escaping
Fixed in
Fixed in 4.7.8
CVSS
5.4 (medium)
Published
2017-11-29
Title
WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing
Fixed in
Fixed in 4.7.8
CVSS
8.8 (high)
Published
2017-10-31
Title
WordPress <= 4.8.2 - $wpdb->prepare() Weakness
Fixed in
Fixed in 4.7.7
CVSS
9.8 (critical)
Published
2017-09-20
Title
WordPress 2.9.2-4.8.1 - Open Redirect
Fixed in
Fixed in 4.7.6
CVSS
5.4 (medium)
Published
2017-09-20
Title
WordPress 3.0-4.8.1 - Path Traversal in Unzipping
Fixed in
Fixed in 4.7.6
CVSS
7.5 (high)
Published
2017-09-19
Title
WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Fixed in
Fixed in 4.7.6
CVSS
9.8 (critical)
Published
2017-09-19
Title
WordPress 4.4-4.8.1 - Path Traversal in Customizer
Fixed in
Fixed in 4.7.6
CVSS
7.5 (high)
Published
2017-09-19
Title
WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed
Fixed in
Fixed in 4.7.6
CVSS
6.1 (medium)
Published
2017-09-19
Title
WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor
Fixed in
Fixed in 4.7.6
CVSS
6.1 (medium)
Published
2017-08-24
Title
WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Fixed in
Fixed in 4.7.5
CVSS
n/a
Published
2017-05-16
Title
WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
Fixed in
Fixed in 4.7.5
CVSS
8.6 (high)
Published
2017-05-16
Title
WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
Fixed in
Fixed in 4.7.5
CVSS
8.6 (high)
Published
2017-05-16
Title
WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks
Fixed in
Fixed in 4.7.5
CVSS
7.5 (high)
Published
2017-05-16
Title
WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
Fixed in
Fixed in 4.7.5
CVSS
8.8 (high)
Published
2017-05-16
Title
WordPress 3.3-4.7.4 - Large File Upload Error XSS
Fixed in
Fixed in 4.7.5
CVSS
6.1 (medium)
Published
2017-05-16
Title
WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF
Fixed in
Fixed in 4.7.5
CVSS
6.1 (medium)
Published
2017-05-03
Title
WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
Fixed in
No known fix
CVSS
5.9 (medium)
Published
2017-03-06
Title
WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
Fixed in
Fixed in 4.7.3
CVSS
5.4 (medium)
Published
2017-03-06
Title
WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
Fixed in
Fixed in 4.7.3
CVSS
6.1 (medium)
Published
2017-03-06
Title
WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete
Fixed in
Fixed in 4.7.3
CVSS
4.9 (medium)
Published
2017-03-06
Title
WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
Fixed in
Fixed in 4.7.3
CVSS
5.4 (medium)
Published
2017-03-06
Title
WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names
Fixed in
Fixed in 4.7.3
CVSS
6.1 (medium)
Published
2017-03-06
Title
WordPress 4.2-4.7.2 - Press This CSRF DoS
Fixed in
Fixed in 4.7.3
CVSS
6.5 (medium)
Published
2017-02-01
Title
WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API
Fixed in
Fixed in 4.7.2
CVSS
7.5 (high)
Published
2017-01-26
Title
WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users
Fixed in
Fixed in 4.7.2
CVSS
5.3 (medium)
Published
2017-01-26
Title
WordPress 3.5-4.7.1 - WP_Query SQL Injection
Fixed in
Fixed in 4.7.2
CVSS
9.8 (critical)
Published
2017-01-26
Title
WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
Fixed in
Fixed in 4.7.2
CVSS
6.1 (medium)
Published
2017-01-11
Title
WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer
Fixed in
Fixed in 4.7.1
CVSS
n/a
Published
2017-01-11
Title
WordPress 4.7 - User Information Disclosure via REST API
Fixed in
Fixed in 4.7.1
CVSS
5.3 (medium)
Published
2017-01-11
Title
WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
Fixed in
Fixed in 4.7.1
CVSS
6.1 (medium)
Published
2017-01-11
Title
WordPress <= 4.7 - Cross-Site Request Forgery (CSRF) via Flash Upload
Fixed in
Fixed in 4.7.1
CVSS
8.8 (high)
Published
2017-01-11
Title
WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Fixed in
Fixed in 4.7.1
CVSS
6.1 (medium)
Published
2017-01-11
Title
WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
Fixed in
Fixed in 4.7.1
CVSS
5.3 (medium)
Published
2017-01-11
Title
WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
Fixed in
Fixed in 4.7.1
CVSS
8.8 (high)
Published
2017-01-11
Title
WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Fixed in
Fixed in 4.7.1
CVSS
7.5 (high)