CVE-2017-9064
- EPSS 1.74%
- Veröffentlicht 18.05.2017 14:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials.
CVE-2017-9065
- EPSS 4.08%
- Veröffentlicht 18.05.2017 14:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
CVE-2017-9066
- EPSS 3.67%
- Veröffentlicht 18.05.2017 14:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF.
CVE-2017-8295
- EPSS 26.7%
- Veröffentlicht 04.05.2017 14:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
WordPress through 4.7.4 relies on the Host HTTP header for a password-reset e-mail message, which makes it easier for remote attackers to reset arbitrary passwords by making a crafted wp-login.php?action=lostpassword request and then arranging for th...
CVE-2017-1001000
- EPSS 81.85%
- Veröffentlicht 03.04.2017 01:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a re...
CVE-2017-6814
- EPSS 3.02%
- Veröffentlicht 12.03.2017 01:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishan...
CVE-2017-6815
- EPSS 3%
- Veröffentlicht 12.03.2017 01:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In WordPress before 4.7.3 (wp-includes/pluggable.php), control characters can trick redirect URL validation.
CVE-2017-6816
- EPSS 3.12%
- Veröffentlicht 12.03.2017 01:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.
CVE-2017-6817
- EPSS 2.09%
- Veröffentlicht 12.03.2017 01:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In WordPress before 4.7.3 (wp-includes/embed.php), there is authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
CVE-2017-6818
- EPSS 2.78%
- Veröffentlicht 12.03.2017 01:59:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-site scripting (XSS) via taxonomy term names.