Debian/wordpress — 421 CVEs · VulnScope

pkg:Debian/wordpress

共 421 筆 CVECRITICAL24HIGH50MEDIUM26

✅ 檢查你的版本

所有已知漏洞

CRITICAL9.8CVE-2024-31211Remote Code Execution in `WP_HTML_Token`
from 0, < 6.4.2+dfsg1-1
CRITICAL9.8CVE-2021-44223WordPress before 5.8 lacks support for the Update URI plugin header.
from 0
CRITICAL9.8CVE-2021-29476Insecure Deserialization of untrusted data in rmccue/requests
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, whic…
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 5.5.3+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 5.0.11+dfsg1-0+deb10u1
CRITICAL9.8wordpress - security update
from 0, < 4.7.19+dfsg-1+deb9u1
CRITICAL9.8wordpress - security update
from 0, < 5.3.2+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 4.1.29+dfsg-0+deb8u1
CRITICAL9.8wordpress - security update
from 0, < 5.0.17+dfsg1-0+deb10u1
CRITICAL9.8wordpress - security update
from 0, < 5.2.4+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 4.7.18+dfsg-1+deb9u1
CRITICAL9.8wordpress - security update
from 0, < 4.1.28+dfsg-0+deb8u1
CRITICAL9.8wordpress - security update
from 0, < 5.2.4+dfsg1-1
CRITICAL9.8In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMed…
from 0, < 5.0.1+dfsg1-1
CRITICAL9.8wordpress - security update
from 0, < 4.8.3+dfsg-1
CRITICAL9.8wordpress - security update
from 0, < 4.1+dfsg-1+deb8u16
CRITICAL9.8wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u18
CRITICAL9.8Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly addr…
from 0, < 4.8.2+dfsg-1
CRITICAL9.8SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbi…
from 0, < 4.7.2+dfsg-1
CRITICAL9.8Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authenticatio…
from 0, < 2.5.0-1
CRITICAL9.1is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine w…
from 0, < 5.5.3+dfsg1-1
HIGH8.8PHP file upload bypass via Plugin installer
from 0, < 5.7.11+dfsg1-0+deb11u1
HIGH8.8SQL injection in WordPress
from 0, < 5.7.5+dfsg1-0+deb11u1
HIGH8.8WordPress before 5.2.4 does not properly consider type confusion during validation of the referer in the admin pages, possibly leading to C…
from 0, < 5.2.4+dfsg1-1
HIGH8.8WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default con…
from 0, < 5.1.1+dfsg1-1
HIGH8.8wordpress - security update
from 0, < 4.1.26+dfsg-1+deb8u1
HIGH8.8wordpress - security update
from 0, < 5.0.1+dfsg1-1
HIGH8.8WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution.
from 0, < 4.9.1+dfsg-1
HIGH8.8wordpress - security update
from 0, < 4.7.5+dfsg-2+deb9u4
HIGH8.8wordpress - security update
from 0, < 4.9.7+dfsg1-1
HIGH8.8wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u20
HIGH8.8wordpress - security update
from 0, < 4.9.1+dfsg-1
HIGH8.8In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is…
from 0, < 4.7.5+dfsg-1
HIGH8.8Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote at…
from 0, < 4.7.1+dfsg-1
HIGH8.8Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecifi…
from 0, < 4.7.1+dfsg-1
HIGH8.8Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax-actions.php in WordPr…
from 0, < 4.5+dfsg-1
HIGH8.6wordpress - security update
from 0, < 4.7.5+dfsg-1
HIGH8.6wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u16
HIGH8.6In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API.
from 0, < 4.7.5+dfsg-1
HIGH8.6wordpress - security update
from 0, < 4.5+dfsg-1
HIGH8.6wordpress - security update
from 0, < 4.1+dfsg-1+deb8u10
HIGH8.6The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request…
from 0, < 4.4.2+dfsg-1
HIGH8.1Password reset links invalidation issue in WordPress
from 0, < 5.4.1+dfsg1-1
HIGH7.5SQL injection in WordPress
from 0, < 5.0.15+dfsg1-0+deb10u1
HIGH7.5SQL injection in WordPress
from 0, < 4.7.22+dfsg-0+deb9u1
HIGH7.5SQL injection in WordPress
from 0, < 5.7.5+dfsg1-0+deb11u1
HIGH7.5WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
from 0, < 5.5.3+dfsg1-1
HIGH7.5Unauthenticated disclosure of certain private posts in WordPress
from 0, < 5.4.1+dfsg1-1
HIGH7.5WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header.
from 0, < 5.2.4+dfsg1-1
HIGH7.5In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine's web crawler if an unusual confi…
from 0, < 5.0.1+dfsg1-1
HIGH7.5In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of regis…
from 0
HIGH7.5WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values…
from 0
HIGH7.5Before version 4.8.2, WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename.
from 0, < 4.8.2+dfsg-1
HIGH7.5Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip compone…
from 0, < 4.8.2+dfsg-1
HIGH7.5In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
from 0, < 4.7.5+dfsg-1
HIGH7.5The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before…
from 0, < 4.7.2+dfsg-1
HIGH7.5wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, whi…
from 0, < 4.7.1+dfsg-1
HIGH7.5WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.
from 0, < 4.5.3+dfsg-1
HIGH7.5WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.
from 0, < 4.5.3+dfsg-1
HIGH7.5WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspe…
from 0, < 4.5.3+dfsg-1
HIGH7.5wordpress - security update
from 0, < 4.5.3+dfsg-1
HIGH7.5wordpress - security update
from 0, < 4.1+dfsg-1+deb8u18
HIGH7.5WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, r…
from 0, < 4.5.3+dfsg-1
HIGH7.5wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u11
HIGH7.5wordpress - security update
from 0, < 4.5.3+dfsg-1
HIGH7.4wordpress - security update
from 0, < 3.6.1+dfsg-1~deb7u10
HIGH7.4wordpress - security update
from 0, < 4.4.2+dfsg-1
HIGH7.4wordpress - security update
from 0, < 3.6.1+dfsg-1~deb6u9
HIGH7.2Authenticated Object Injection in Multisites in WordPress
from 0, < 5.7.5+dfsg1-0+deb11u1
HIGH7.2In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files.
from 0
HIGH7.1Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows rem…
from 0, < 4.6.1+dfsg-1
MEDIUM6.8Authenticated XSS via media attachment page in WordPress
from 0, < 5.4.2+dfsg1-1
MEDIUM6.8Authenticated XSS via media attachment page in WordPress
from 0, < 4.1.31+dfsg-0+deb8u1
MEDIUM6.5WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
from 0, < 6.1.9+dfsg1-0+deb12u1
MEDIUM6.5WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
from 0, < 5.7.14+dfsg1-0+deb11u1
MEDIUM6.5WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability
from 0, < 5.7.14+dfsg1-0+deb11u1
MEDIUM6.5A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts.
from 0, < 3.2.1+dfsg-1
MEDIUM6.5WordPress Authenticated XXE attack when installation is running PHP 8
from 0, < 5.0.12+dfsg1-0+deb10u1
MEDIUM6.5WordPress Authenticated XXE attack when installation is running PHP 8
from 0, < 4.7.20+dfsg-1+deb9u1
MEDIUM6.5WordPress Authenticated XXE attack when installation is running PHP 8
from 0, < 5.7.1+dfsg1-1
MEDIUM6.5WordPress through 5.0.3 allows Path Traversal in wp_crop_image().
from 0
MEDIUM6.5In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input.
from 0, < 5.0.1+dfsg1-1
MEDIUM6.5wordpress - security update
from 0, < 4.7.5+dfsg-2+deb9u5
MEDIUM6.5wordpress - security update
from 0, < 5.0.1+dfsg1-1
MEDIUM6.5wordpress - security update
from 0, < 4.1.25+dfsg-1+deb8u1
MEDIUM6.5WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes),…
from 0, < 4.8.2+dfsg-2
MEDIUM6.5In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to…
from 0, < 4.7.3+dfsg-1
MEDIUM6.5Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress be…
from 0, < 4.6.1+dfsg-1
MEDIUM6.5wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified…
from 0, < 2.0.5-0.1
MEDIUM6.5WordPress before 2.0.5 does not properly store a profile containing a string representation of a serialized object, which allows remote aut…
from 0, < 2.0.5-0.1
MEDIUM6.4WordPress Core < 6.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API
from 0, < 5.7.14+dfsg1-0+deb11u1
MEDIUM6.3Directory traversal vulnerability in the File_Upload_Upgrader class in wp-admin/includes/class-file-upload-upgrader.php in the upgrade pack…
from 0, < 4.6.1+dfsg-1
MEDIUM6.1WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due…
from 0, < 6.1.9+dfsg1-0+deb12u1
MEDIUM6.1Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary scr…
from 0, < 5.7.8+dfsg1-0+deb11u1
MEDIUM6.1wordpress - security update
from 0, < 5.7.8+dfsg1-0+deb11u1
MEDIUM6.1wordpress - security update
from 0, < 5.7.8+dfsg1-0+deb11u1
MEDIUM6.1WordPress before 5.5.2 allows stored XSS via post slugs.
from 0, < 5.5.3+dfsg1-1