WordPress Vulnerabilities - Patchstack

Vulnerability Database

All known vulnerabilities for

WordPress

Found a vulnerability that puts your sites at risk?

Software

Vulnerability

Type

Version

Published

WordPress

Critical Severity

9.8

WordPress <= 5.7.1 - Object injection in PHPMailer vulnerability

Critical Severity

9.8

WordPress

<= 5.7.1

2021-05-13

WordPress

Medium Severity

6.5

WordPress core 4.7-5.7 - XML External Entity (XXE) vulnerability

Medium Severity

6.5

WordPress

4.7-5.7

2021-04-15

WordPress

Medium Severity

5.3

WordPress core 4.7-5.7 - Sensitive Data Exposure vulnerability

Medium Severity

5.3

WordPress

4.7-5.7

2021-04-15

WordPress

WordPress <= 5.5.1 - Cross-Site Request Forgery (CSRF) vulnerability

WordPress

<=5.5.1

2020-10-29

WordPress

WordPress <= 5.5.1 - Bypass Protected Meta That Could Lead To Arbitrary File Deletion vulnerability

WordPress

<= 5.5.1

2020-10-29

WordPress

WordPress <= 5.5.1 - Stored Cross-Site Scripting (XSS) in Post Slugs vulnerability

WordPress

<= 5.5.1

2020-10-29

WordPress

WordPress <= 5.5.1 - Unauthenticated Denial-of-Service (DoS) Attack to Remote Code Execution (RCE) vulnerability

WordPress

<= 5.5.1

2020-10-29

WordPress

WordPress <= 5.5.1 - XML-RPC Privilege Escalation vulnerability

WordPress

<= 5.5.1

2020-10-29

WordPress

WordPress <= 5.5.1 - Cross-Site Scripting (XSS) via Global Variables vulnerability

WordPress

<= 5.5.1

2020-10-29

WordPress

WordPress <= 5.5.1 - Mishandling Embeds From Disabled Sites On a Multisite Network vulnerability

WordPress

<= 5.5.1

2020-10-29

WordPress

WordPress <= 5.5.1 - Mishandled deserialization requests vulnerability

WordPress

<= 5.5.1

2020-10-29

WordPress

WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass vulnerability

WordPress

<= 5.3

2020-01-06

WordPress

WordPress <= 5.3 - Stored Cross-Site Scripting (XSS) vulnerability

WordPress

<= 5.3

2019-12-13

WordPress

WordPress <= 5.2.3 - Multiple security issues (XSS, SSRF, Cache Poisoning)

WordPress

<= 5.2.3

2019-10-15

WordPress

WordPress core <= 5.2.2 - Cross-Site Scripting (XSS) vulnerability

WordPress

<= 5.2.2

2019-09-05

WordPress

WordPress 3.9-5.1 - Cross-Site Scripting (XSS) vulnerability

WordPress

3.9-5.1

2019-03-13

WordPress

WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution vulnerability

WordPress

3.7-4.9.8, 5.0

2019-02-28

WordPress

WordPress <= 5.0 - Authenticated File Delete vulnerability

WordPress

<= 5.0

2018-12-13

WordPress

WordPress <= 5.0 - Authenticated Post Type Bypass vulnerability

WordPress

<= 5.0

2018-12-13

WordPress

WordPress <= 5.0 - PHP Object Injection via Meta Data vulnerability

WordPress

<= 5.0

2018-12-13

WordPress

WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS) vulnerability

WordPress

<= 5.0

2018-12-13

WordPress

WordPress <= 5.0 - Cross-Site Scripting (XSS) vulnerability that could affect plugins

WordPress

<= 5.0

2018-12-13

WordPress

WordPress <= 5.0 - User Activation Screen Search Engine Indexing

WordPress

<= 5.0

2018-12-13

WordPress

WordPress <= 5.0 - File Upload to XSS on Apache Web Servers vulnerability

WordPress

<= 5.0

2018-12-13

WordPress

WordPress <=4.9.6 - Arbitrary Code Execution vulnerability

WordPress

<=4.9.6

2018-06-27

WordPress

WordPress <=4.9.4 - Vulnerable due to "localhost" default parameter

WordPress

<=4.9.4

2018-04-05

WordPress

WordPress <=4.9.4 - Use Safe Redirect for Login

WordPress

<=4.9.4

2018-04-05

WordPress

WordPress <=4.9.4 - Escape Version in Generator Tag

WordPress

<=4.9.4

2018-04-05

WordPress

WordPress <=4.9.2 - Application Denial of Service (DoS) vulnerability

WordPress

<=4.9.2

2018-02-05

WordPress

WordPress 3.7-4.9.1 - Cross-Site Scripting vulnerability

WordPress

<=4.9.1

2018-01-17

WordPress

WordPress <=4.9 - Authenticated JavaScript File Upload vulnerability

WordPress

<=4.9

2017-12-01

WordPress

WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping

WordPress

<= 4.9

2017-11-29

WordPress

WordPress 4.3.0-4.9 - HTML Language Attribute Escaping

WordPress

<= 4.9

2017-11-29

WordPress

WordPress 3.7-4.9 - newbloguser Key Bypass

WordPress

<= 4.9

2017-11-29

WordPress

WordPress <=4.8.2 - potential SQL injection (SQLi), $wpdb->prepare() issue, possible unsafe queries

WordPress

<=4.8.2

2017-10-31

WordPress

WordPress <=4.8.1 - SQL injection (SQLi) vulnerability

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.8.1 - Cross-Site Scripting (XSS) vulnerability (oEmbed)

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.8.1 - Cross-Site Scripting (XSS) vulnerability (visual editor)

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.8.1 - Cross-Site Scripting (XSS) vulnerability (plugin editor)

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.8.1 - Cross-Site Scripting (XSS) vulnerability (template names)

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.8.1 - Cross-Site Scripting (XSS) vulnerability (link modal)

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.8.1 - Path traversal vulnerability (file unzipping code)

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.8.1 - Path traversal vulnerability (customizer)

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.8.1 - Open redirect vulnerability (user and term edit screens)

WordPress

<=4.8.1

2017-09-19

WordPress

WordPress <=4.7.4 - Insufficient Redirect Validation vulnerability

WordPress

<=4.7.4

2017-05-17

WordPress

WordPress <=4.7.4 - Post Meta Data Values Improper Handling in XML-RPC API

WordPress

<=4.7.4

2017-05-16

WordPress

WordPress <=4.7.4 - Host Header Injection in Password Reset

WordPress

<=4.7.4

2017-05-03

WordPress

WordPress <= 4.5.3 - Path traversal

WordPress

<= 4.5.3

2016-07-12

WordPress

WordPress <= 4.5.2 - BYPASS #1

WordPress

<= 4.5.2

2016-06-23

WordPress

WordPress <= 4.5.2 - BYPASS #2

WordPress

<= 4.5.2

2016-06-23

WordPress

WordPress <= 4.5.2 - BYPASS #3

WordPress

<= 4.5.2

2016-06-23

WordPress

WordPress <= 4.5.2 - Denial of Service Attacks

WordPress

<= 4.5.2

2016-06-23

WordPress

WordPress <= 4.5.2 - Session Hijacking

WordPress

<= 4.5.2

2016-06-23

WordPress

WordPress <= 4.5.2 - XSS #1

WordPress

<= 4.5.2

2016-06-23

WordPress

WordPress <= 4.5.2 - XSS #2

WordPress

<= 4.5.2

2016-06-23

WordPress

WordPress <= 4.5.2 - BYPASS #4

WordPress

<= 4.5.2

2016-06-23

WordPress

WordPress <= 2.20.9 - XSS

WordPress

<= 2.20.9

2016-05-07

WordPress

WordPress <= 4.5.1 - XSS

WordPress

<= 4.5.1

2016-05-07

WordPress

WordPress <= 4.4 - Service Side Request Forgery

WordPress

<= 4.4

2016-04-15

WordPress

WordPress <= 4.4.1 - XSS

WordPress

<= 4.4.1

2016-04-12

WordPress

WordPress <= 4.4.1 - CSRF

WordPress

<= 4.4.1

2016-04-12

WordPress

WordPress <= 4.2.1 - XSS

WordPress

<= 4.2.1

2016-03-25

WordPress

WordPress <= 4.4.1 - SSRF

WordPress

<= 4.4.1

2016-02-05

WordPress

WordPress <= 4.4.1 - Open Redirect

WordPress

<= 4.4.1

2016-02-04

WordPress

WordPress <= 4.4.0 - Multiple XSS

WordPress

<= 4.4.0

2016-01-08

WordPress

WordPress <= 4.3.0 - XSS

WordPress

<= 4.3.0

2015-10-28

WordPress

WordPress <= 4.2.3 - XSS #1

WordPress

<= 4.2.3

2015-08-04

WordPress

WordPress <= 4.2.3 - XSS #2

WordPress

<= 4.2.3

2015-08-04

WordPress

WordPress <= 4.2.3 - CSRF

WordPress

<= 4.2.3

2015-08-04

WordPress

WordPress <= 4.2.3 - Multiple Vulnerabilities

WordPress

<= 4.2.3

2015-08-04

WordPress

WordPress <= 4.3.0 - BYPASS