Wordpress

Wordpress

360 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
3.7

CVE-2025-54352

  • EPSS 0.06%
  • Published 21.07.2025 00:00:00
  • Last modified 22.07.2025 13:06:07

WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.

9.8

CVE-2025-5396

  • EPSS 0.38%
  • Published 17.07.2025 01:44:54
  • Last modified 17.07.2025 21:15:50

The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed direc...

7.2

CVE-2024-8699

Exploit
  • EPSS 0.2%
  • Published 15.05.2025 20:15:59
  • Last modified 28.05.2025 15:42:01

The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

7.5

CVE-2025-2106

  • EPSS 0.12%
  • Published 13.03.2025 02:15:13
  • Last modified 13.03.2025 02:15:13

The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'text' and 'id' parameters of the limpia() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and la...

6.5

CVE-2025-24588

  • EPSS 0.15%
  • Published 24.01.2025 18:15:35
  • Last modified 24.01.2025 18:15:35

Missing Authorization vulnerability in Patreon Patreon WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Patreon WordPress: from n/a through 1.9.1.

6.1

CVE-2024-10519

  • EPSS 1.34%
  • Published 23.11.2024 10:15:03
  • Last modified 12.07.2025 00:29:04

The Wishlist for WooCommerce: Multi Wishlists Per Customer PRO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wtab' parameter in versions 3.0.8 to 3.1.2 due to insufficient input sanitization and output escaping. This m...

5.4

CVE-2022-4973

  • EPSS 0.38%
  • Published 16.10.2024 07:15:12
  • Last modified 30.10.2024 15:58:30

WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it...

6.4

CVE-2024-6307

  • EPSS 0.87%
  • Published 25.06.2024 11:15:50
  • Last modified 21.11.2024 09:49:24

WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-l...

7.2

CVE-2024-4439

  • EPSS 92.03%
  • Published 03.05.2024 06:15:14
  • Last modified 21.11.2024 09:42:50

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with c...

5.3

CVE-2023-5692

  • EPSS 0.66%
  • Published 05.04.2024 13:15:07
  • Last modified 21.11.2024 08:42:17

WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_querya...