Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Wordpress
(Wordpress)| Repositories |
• https://github.com/WordPress/WordPress
• https://github.com/johndyer/mediaelement • https://github.com/moxiecode/moxieplayer • https://github.com/moxiecode/plupload |
| #Vulnerabilities | 351 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-10-12 | CVE-2016-9263 | WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. | Wordpress | 4.7 | ||
| 2017-01-05 | CVE-2016-7169 | Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade package uploader in WordPress before 4.6.1 allows remote authenticated users to access arbitrary files via a crafted urlholder parameter. | Wordpress | 6.3 | ||
| 2017-01-05 | CVE-2016-7168 | Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename. | Wordpress | 4.8 | ||
| 2017-01-18 | CVE-2016-6897 | Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896. | Wordpress | 6.5 | ||
| 2017-01-18 | CVE-2016-6896 | Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool. | Wordpress | 7.1 | ||
| 2016-08-07 | CVE-2016-6635 | Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option. | Wordpress | 8.8 | ||
| 2016-08-07 | CVE-2016-6634 | Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | Wordpress | 6.1 | ||
| 2016-06-29 | CVE-2016-5839 | WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors. | Wordpress | 7.5 | ||
| 2016-06-29 | CVE-2016-5838 | WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie. | Wordpress | 7.5 | ||
| 2016-06-29 | CVE-2016-5837 | WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors. | Wordpress | 7.5 |