Wordpresscan/database/wordpresses.json

1 line
2.8 MiB

{"3.8.1":{"release_date":"2014-01-23","changelog_url":"https://codex.wordpress.org/Version_3.8.1","vulnerabilities":[{"id":5963,"title":"WordPress 1.0 - 3.8.1 administrator exploitable blind SQLi","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"url":["https://security.dxw.com/advisories/sqli-in-wordpress-3-6-1/"]},"vuln_type":"SQLI","fixed_in":null},{"id":5964,"title":"WordPress 3.7.1 \u0026 3.8.1 Potential Authentication Cookie Forgery","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"url":["https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/","https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be"],"cve":["2014-0166"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.8.2"},{"id":5965,"title":"WordPress 3.7.1 \u0026 3.8.1 Privilege escalation: contributors publishing posts","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165"],"cve":["2014-0165"]},"vuln_type":"BYPASS","fixed_in":"3.8.2"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.8.2"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"vuln_type":"DOS","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.8":{"release_date":"2013-12-12","changelog_url":"https://codex.wordpress.org/Version_3.8","vulnerabilities":[{"id":5967,"title":"WordPress 3.7.1 \u0026 3.8 - Cleartext Admin Credentials Disclosure","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Dec/135"]},"vuln_type":"AUTHBYPASS","fixed_in":null},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"vuln_type":"DOS","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.7.1":{"release_date":"2013-10-29","changelog_url":"https://codex.wordpress.org/Version_3.7.1","vulnerabilities":[{"id":5964,"title":"WordPress 3.7.1 \u0026 3.8.1 Potential Authentication Cookie Forgery","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"url":["https://labs.mwrinfosecurity.com/blog/2014/04/11/wordpress-auth-cookie-forgery/","https://github.com/WordPress/WordPress/commit/78a915e0e5927cf413aa6c2cef2fca3dc587f8be"],"cve":["2014-0166"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.7.2"},{"id":5965,"title":"WordPress 3.7.1 \u0026 3.8.1 Privilege escalation: contributors publishing posts","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/CVE-2014-0165"],"cve":["2014-0165"]},"vuln_type":"BYPASS","fixed_in":"3.7.2"},{"id":5967,"title":"WordPress 3.7.1 \u0026 3.8 - Cleartext Admin Credentials Disclosure","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Dec/135"]},"vuln_type":"AUTHBYPASS","fixed_in":null},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.7.2"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"vuln_type":"DOS","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.6":{"release_date":"2013-08-01","changelog_url":"https://codex.wordpress.org/Version_3.6","vulnerabilities":[{"id":5968,"title":"WordPress 3.6 PHP Object Injection","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://vagosec.org/2013/09/wordpress-php-object-injection/","http://www.openwall.com/lists/oss-security/2013/09/12/1","http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340","http://core.trac.wordpress.org/changeset/25325"],"cve":["2013-4338"],"secunia":["54803"]},"vuln_type":"UNKNOWN","fixed_in":"3.6.1"},{"id":5969,"title":"WordPress 3.6 SWF/EXE File Upload XSS Weakness","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://core.trac.wordpress.org/changeset/25322"],"cve":["2013-5739"]},"vuln_type":"XSS","fixed_in":"3.6.1"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5971,"title":"WordPress 3.6 Post Authorship Spoofing","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://core.trac.wordpress.org/changeset/25321"],"cve":["2013-4340"],"secunia":["54803"]},"vuln_type":"UNKNOWN","fixed_in":"3.6.1"},{"id":5972,"title":"WordPress 3.6 HTML File Upload XSS Weakness","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://core.trac.wordpress.org/changeset/25322"],"cve":["2013-5738"]},"vuln_type":"XSS","fixed_in":"3.6.1"},{"id":5973,"title":"WordPress 3.6 Multiple Function Path Disclosure","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Nov/220"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5974,"title":"WordPress 3.6 Multiple Script Arbitrary Site Redirect","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Dec/174"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5975,"title":"WordPress 3.6 _wp_http_referer Parameter Reflected XSS","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Dec/174"]},"vuln_type":"XSS","fixed_in":"3.6.1"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"vuln_type":"DOS","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.7.2"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.5.2":{"release_date":"2013-06-21","changelog_url":"https://codex.wordpress.org/Version_3.5.2","vulnerabilities":[{"id":5976,"title":"WordPress 3.5.2 Media Library Multiple Function Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://websecurity.com.ua/6795/"]},"vuln_type":"FPD","fixed_in":null},{"id":5977,"title":"WordPress 3.5.2 SWFUpload Content Spoofing","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://bot24.blogspot.ca/2013/04/swfupload-object-injectioncsrf.html","https://github.com/wpscanteam/wpscan/issues/243"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"vuln_type":"DOS","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.7.2"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.5.1":{"release_date":"2013-01-24","changelog_url":"https://codex.wordpress.org/Version_3.5.1","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"vuln_type":"FPD","fixed_in":"3.5.2"},{"id":5979,"title":"WordPress 3.4-3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"vuln_type":"UNKNOWN","fixed_in":"3.5.2"},{"id":5980,"title":"WordPress 3.5.1 Multiple XSS","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{},"vuln_type":"XSS","fixed_in":"3.5.2"},{"id":5981,"title":"WordPress 3.5.1 TinyMCE Plugin Flash Applet Unspecified Spoofing Weakness","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{},"vuln_type":"UNKNOWN","fixed_in":"3.5.2"},{"id":5983,"title":"WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2013-2202"]},"vuln_type":"XXE","fixed_in":"3.5.2"},{"id":5984,"title":"WordPress 3.5-3.5.1 Multiple Role Remote Privilege Escalation","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{},"vuln_type":"UNKNOWN","fixed_in":"3.5.2"},{"id":5985,"title":"WordPress 3.5-3.5.1 HTTP API Unspecified Server Side Request Forgery (SSRF)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{},"vuln_type":"SSRF","fixed_in":"3.5.2"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"vuln_type":"DOS","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.7.2"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.5":{"release_date":"2012-12-11","changelog_url":"https://codex.wordpress.org/Version_3.5","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"vuln_type":"FPD","fixed_in":"3.5.2"},{"id":5986,"title":"WordPress 3.4 - 3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"vuln_type":"UNKNOWN","fixed_in":"3.5.2"},{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"vuln_type":"XSS","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5990,"title":"WordPress 3.5 Shortcodes / Post Content Multiple Unspecified XSS","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/57554/","http://securitytracker.com/id?1028045"],"cve":["2013-0236"],"secunia":["51967"]},"vuln_type":"XSS","fixed_in":"3.5.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.5.1"},{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"vuln_type":"DOS","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":5983,"title":"WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2013-2202"]},"vuln_type":"XXE","fixed_in":"3.5.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.7.2"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.4.2":{"release_date":"2012-09-06","changelog_url":"https://codex.wordpress.org/Version_3.4.2","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"vuln_type":"FPD","fixed_in":"3.5.2"},{"id":5986,"title":"WordPress 3.4 - 3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"vuln_type":"UNKNOWN","fixed_in":"3.5.2"},{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"vuln_type":"XSS","fixed_in":null},{"id":5991,"title":"WordPress 3.4.2 Cross Site Request Forgery","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html"]},"vuln_type":"CSRF","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.5.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.4.1":{"release_date":"2012-06-27","changelog_url":"https://codex.wordpress.org/Version_3.4.1","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"vuln_type":"FPD","fixed_in":"3.5.2"},{"id":5986,"title":"WordPress 3.4 - 3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"vuln_type":"UNKNOWN","fixed_in":"3.5.2"},{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"vuln_type":"XSS","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.5.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.4":{"release_date":"2012-06-13","changelog_url":"https://codex.wordpress.org/Version_3.4","vulnerabilities":[{"id":5978,"title":"Wordpress 3.4 - 3.5.1 /wp-admin/users.php Malformed s Parameter Path Disclosure","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jul/70"]},"vuln_type":"FPD","fixed_in":"3.5.2"},{"id":5986,"title":"WordPress 3.4 - 3.5.1 DoS in class-phpass.php","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2013/Jun/65"],"cve":["2013-2173"],"secunia":["53676"]},"vuln_type":"UNKNOWN","fixed_in":"3.5.2"},{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"vuln_type":"XSS","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.5.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.4-beta4":{"release_date":"2012-05-03","changelog_url":null,"vulnerabilities":[{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"vuln_type":"XSS","fixed_in":null},{"id":5992,"title":"Wordpress 3.3.1 Multiple CSRF Vulnerabilities","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"exploitdb":["18791"]},"vuln_type":"CSRF","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.5.1"}]},"3.3.3":{"release_date":"2012-06-27","changelog_url":"https://codex.wordpress.org/Version_3.3.3","vulnerabilities":[{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"vuln_type":"XSS","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.5.1"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.3.2":{"release_date":"2012-04-20","changelog_url":"https://codex.wordpress.org/Version_3.3.2","vulnerabilities":[{"id":5987,"title":"WordPress 3.3.2 - 3.5 Cross-Site Scripting (XSS) (Issue 3)","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/wpscanteam/wpscan/wiki/WordPress-3.5-Issues"]},"vuln_type":"XSS","fixed_in":null},{"id":5992,"title":"Wordpress 3.3.1 Multiple CSRF Vulnerabilities","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"exploitdb":["18791"]},"vuln_type":"CSRF","fixed_in":null},{"id":5993,"title":"WordPress 3.3.2 Cross-Site Scripting (XSS)","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.org/files/113254"]},"vuln_type":"XSS","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":5966,"title":"WordPress Plupload Unspecified XSS","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:19.000Z","published_date":null,"references":{"secunia":["57769"]},"vuln_type":"BYPASS","fixed_in":"3.5.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.3.1":{"release_date":"2012-01-03","changelog_url":"https://codex.wordpress.org/Version_3.3.1","vulnerabilities":[{"id":5997,"title":"WordPress 3.3.1 Multiple vulnerabilities including XSS \u0026 Privilege Escalation","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2012/04/wordpress-3-3-2/"]},"vuln_type":"MULTI","fixed_in":null},{"id":5998,"title":"Wordpress 3.3.1 - Multiple CSRF Vulnerabilities","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"exploitdb":["18791"]},"vuln_type":"CSRF","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.3":{"release_date":"2011-12-12","changelog_url":"https://codex.wordpress.org/Version_3.3","vulnerabilities":[{"id":6000,"title":"WordPress 3.3 Reflected Cross-Site Scripting (XSS)","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://oldmanlab.blogspot.com/2012/01/wordpress-33-xss-vulnerability.html"]},"vuln_type":"XSS","fixed_in":"3.3.1"},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.2.1":{"release_date":"2011-07-12","changelog_url":"https://codex.wordpress.org/Version_3.2.1","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.2":{"release_date":"2011-07-04","changelog_url":"https://codex.wordpress.org/Version_3.2","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.1.4":{"release_date":"2011-06-29","changelog_url":"https://codex.wordpress.org/Version_3.1.4","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.1.3":{"release_date":"2011-05-25","changelog_url":"https://codex.wordpress.org/Version_3.1.3","vulnerabilities":[{"id":6001,"title":"WordPress 3.1.3 wp-admin/link-manager.php Multiple Parameter SQL Injection","created_at":"2014-08-01T10:58:22.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"secunia":["45099"],"exploitdb":["17465"]},"vuln_type":"SQLI","fixed_in":"3.1.4"},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.1.2":{"release_date":"2011-04-26","changelog_url":"https://codex.wordpress.org/Version_3.1.2","vulnerabilities":[{"id":6002,"title":"Wordpress \u003c= 3.1.2 Clickjacking ","created_at":"2014-08-01T10:58:22.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2011/Sep/219","http://www.securityfocus.com/bid/49730/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.1.1":{"release_date":"2011-04-05","changelog_url":"https://codex.wordpress.org/Version_3.1.1","vulnerabilities":[{"id":6003,"title":"WordPress 3.1 PCRE Library Remote DoS","created_at":"2014-08-01T10:58:22.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2011-4957"]},"vuln_type":"DOS","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.1":{"release_date":"2011-02-23","changelog_url":"https://codex.wordpress.org/Version_3.1","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":6003,"title":"WordPress 3.1 PCRE Library Remote DoS","created_at":"2014-08-01T10:58:22.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2011-4957"]},"vuln_type":"DOS","fixed_in":"3.1.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.0.6":{"release_date":"2011-04-26","changelog_url":"https://codex.wordpress.org/Version_3.0.6","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.0.5":{"release_date":"2011-02-07","changelog_url":"https://codex.wordpress.org/Version_3.0.5","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2011-5270"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.0.4":{"release_date":"2010-12-29","changelog_url":"https://codex.wordpress.org/Version_3.0.4","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2011-5270"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.0.3":{"release_date":"2010-12-08","changelog_url":"https://codex.wordpress.org/Version_3.0.3","vulnerabilities":[{"id":6005,"title":"WordPress 2.0 - 3.0.1 SQL Injection in do_trackbacks()","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-09-20T17:53:36.000Z","published_date":null,"references":{"exploitdb":["15684"]},"vuln_type":"SQLI","fixed_in":null},{"id":6006,"title":"Wordpress 3.0.3 stored XSS IE7,6 NS8.1","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["15858"]},"vuln_type":"XSS","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2011-5270"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.0.2":{"release_date":"2010-11-30","changelog_url":"https://codex.wordpress.org/Version_3.0.2","vulnerabilities":[{"id":6007,"title":"WordPress XML-RPC Interface Access Restriction Bypass","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2011-5270"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.0.1":{"release_date":"2010-07-29","changelog_url":"https://codex.wordpress.org/Version_3.0.1","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2011-5270"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":6005,"title":"WordPress 2.0 - 3.0.1 SQL Injection in do_trackbacks()","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-09-20T17:53:36.000Z","published_date":null,"references":{"exploitdb":["15684"]},"vuln_type":"SQLI","fixed_in":"3.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.0":{"release_date":"2010-06-17","changelog_url":"https://codex.wordpress.org/Version_3.0","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6004,"title":"WordPress \u003c= 3.0.5 wp-admin/press-this.php Privilege Escalation","created_at":"2014-08-01T10:58:23.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2011-5270"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.6"},{"id":5994,"title":"WordPress \u003c= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6633"]},"vuln_type":"XSS","fixed_in":"3.3.3"},{"id":5995,"title":"WordPress \u003c= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6634"]},"vuln_type":"MULTI","fixed_in":"3.3.3"},{"id":5996,"title":"WordPress \u003c= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"cve":["2012-6635"]},"vuln_type":"UNKNOWN","fixed_in":"3.3.3"},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.1"},{"id":5970,"title":"WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass","created_at":"2014-08-01T10:58:19.000Z","updated_at":"2015-05-15T13:47:20.000Z","published_date":null,"references":{"url":["http://packetstormsecurity.com/files/123589/","http://core.trac.wordpress.org/changeset/25323","http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609"],"cve":["2013-4339"],"secunia":["54803"],"exploitdb":["28958"]},"vuln_type":"REDIRECT","fixed_in":"3.6.1"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"2.9.2":{"release_date":"2010-02-15","changelog_url":"https://codex.wordpress.org/Version_2.9.2","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"}]},"2.9.1":{"release_date":"2010-01-04","changelog_url":"https://codex.wordpress.org/Version_2.9.1","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.9":{"release_date":"2009-12-18","changelog_url":"https://codex.wordpress.org/Version_2.9","vulnerabilities":[{"id":6014,"title":"WordPress 2.9 Failure to Restrict URL Access","created_at":"2014-08-01T10:58:25.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["11441"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6015,"title":"WordPress 2.9 - Failure to Restrict URL Access","created_at":"2014-08-01T10:58:25.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.ethicalhack3r.co.uk/wordpress-2-9-failure-to-restrict-url-access/"],"cve":["2010-0682"],"exploitdb":["11441"]},"vuln_type":"AUTHBYPASS","fixed_in":"2.9.2"},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.8.6":{"release_date":"2009-11-12","changelog_url":"https://codex.wordpress.org/Version_2.8.6","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.8.5":{"release_date":"2009-10-20","changelog_url":"https://codex.wordpress.org/Version_2.8.5","vulnerabilities":[{"id":6016,"title":"WordPress \u003c= 2.8.5 Unrestricted File Upload Arbitrary PHP Code Execution","created_at":"2014-08-01T10:58:25.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["10089"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.8.4":{"release_date":"2009-08-12","changelog_url":"https://codex.wordpress.org/Version_2.8.4","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.8.3":{"release_date":"2009-08-03","changelog_url":"https://codex.wordpress.org/Version_2.8.3","vulnerabilities":[{"id":6017,"title":"Wordpress \u003c= 2.8.3 Remote Admin Reset Password ","created_at":"2014-08-01T10:58:25.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["9410"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.8.2":{"release_date":"2009-07-20","changelog_url":"https://codex.wordpress.org/Version_2.8.2","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.8.1":{"release_date":"2009-07-09","changelog_url":"https://codex.wordpress.org/Version_2.8.1","vulnerabilities":[{"id":6018,"title":"Wordpress 2.8.1 (url) Remote Cross Site Scripting Exploit","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["9250"]},"vuln_type":"XSS","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.8":{"release_date":"2009-06-10","changelog_url":"https://codex.wordpress.org/Version_2.8","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.7.1":{"release_date":"2009-02-10","changelog_url":"https://codex.wordpress.org/Version_2.7.1","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.7":{"release_date":"2008-12-10","changelog_url":"https://codex.wordpress.org/Version_2.7","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.6.5":{"release_date":"2008-11-25","changelog_url":"https://codex.wordpress.org/Version_2.6.5","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.6.3":{"release_date":"2008-10-23","changelog_url":"https://codex.wordpress.org/Version_2.6.3","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.6.2":{"release_date":"2008-09-08","changelog_url":"https://codex.wordpress.org/Version_2.6.2","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.6.1":{"release_date":"2008-08-15","changelog_url":"https://codex.wordpress.org/Version_2.6.1","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6020,"title":"Wordpress 2.6.1 (SQL Column Truncation) Admin Takeover Exploit","created_at":"2014-08-01T10:58:27.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["6421"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.6":{"release_date":"2008-07-15","changelog_url":"https://codex.wordpress.org/Version_2.6","vulnerabilities":[{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.5.1":{"release_date":"2008-04-25","changelog_url":"https://codex.wordpress.org/Version_2.5.1","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.5":{"release_date":"2008-03-29","changelog_url":"https://codex.wordpress.org/Version_2.5","vulnerabilities":[{"id":6021,"title":"Wordpress 2.5 Cookie Integrity Protection ","created_at":"2014-08-01T10:58:28.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/archive/1/archive/1/491356/100/0/threaded"],"cve":["2008-1930"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5999,"title":"WordPress 2.5 - 3.3.1 XSS in swfupload","created_at":"2014-08-01T10:58:21.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://seclists.org/fulldisclosure/2012/Nov/51"]},"vuln_type":"XSS","fixed_in":"3.3.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.3.3":{"release_date":"2008-02-05","changelog_url":"https://codex.wordpress.org/Version_2.3.3","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.3.2":{"release_date":"2007-12-29","changelog_url":"https://codex.wordpress.org/Version_2.3.2","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.3.1":{"release_date":"2007-10-26","changelog_url":"https://codex.wordpress.org/Version_2.3.1","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6022,"title":"Wordpress \u003c= 2.3.1 Charset Remote SQL Injection ","created_at":"2014-08-01T10:58:29.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["4721"]},"vuln_type":"SQLI","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.3":{"release_date":"2007-09-24","changelog_url":"https://codex.wordpress.org/Version_2.3","vulnerabilities":[{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"}]},"2.2.3":{"release_date":"2007-09-08","changelog_url":"https://codex.wordpress.org/Version_2.2.3","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.2.2":{"release_date":"2007-08-05","changelog_url":"https://codex.wordpress.org/Version_2.2.2","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.2.1":{"release_date":"2007-06-21","changelog_url":"https://codex.wordpress.org/Version_2.2.1","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.2":{"release_date":"2007-05-16","changelog_url":"https://codex.wordpress.org/Version_2.2","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6023,"title":"WordPress 2.2 (wp-app.php) Arbitrary File Upload Exploit","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["4113"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6024,"title":"Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["4039"]},"vuln_type":"SQLI","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.1.3":{"release_date":"2007-04-03","changelog_url":"https://codex.wordpress.org/Version_2.1.3","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6025,"title":"Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"exploitdb":["3960"]},"vuln_type":"SQLI","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.1.2":{"release_date":"2007-03-02","changelog_url":"https://codex.wordpress.org/Version_2.1.2","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6026,"title":"WordPress 'year' Cross-Site Scripting (XSS)","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/archive/1/archive/1/462374/100/0/threaded"],"secunia":["24485"]},"vuln_type":"XSS","fixed_in":null},{"id":6027,"title":"WordPress 2.1.2 Authenticated XMLRPC SQL Injection","created_at":"2014-08-01T10:58:30.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"url":["https://www.notsosecure.com/blog/2007/04/03/wordpress-212-xmlrpc-security-issues/","https://wordpress.org/news/2007/04/wordpress-213-and-2010/"],"cve":["2007-1897"],"secunia":["25108"],"exploitdb":["3656"]},"vuln_type":"SQLI","fixed_in":"2.1.3"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.1.1":{"release_date":"2007-02-21","changelog_url":"https://codex.wordpress.org/Version_2.1.1","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6028,"title":"WordPress 2.1.1 - Comm\u0026 Execution Backdoor","created_at":"2014-08-01T10:58:31.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/22797/","http://xforce.iss.net/xforce/xfdb/32807","http://wordpress.org/news/2007/03/upgrade-212/"],"cve":["2007-1277"],"secunia":["24374"]},"vuln_type":"RCE","fixed_in":"2.1.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7764,"title":"WordPress 2.1.1 - RCE Backdoor","created_at":"2015-01-23T11:45:22.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2007-03-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2007/03/upgrade-212/"]},"vuln_type":"RCE","fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.1":{"release_date":"2007-01-22","changelog_url":"https://codex.wordpress.org/Version_2.1","vulnerabilities":[{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.11":{"release_date":"2007-08-05","changelog_url":"https://codex.wordpress.org/Version_2.0.11","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.10":{"release_date":"2007-04-03","changelog_url":"https://codex.wordpress.org/Version_2.0.10","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.9":{"release_date":"2007-02-21","changelog_url":"https://codex.wordpress.org/Version_2.0.9","vulnerabilities":[{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.8":{"release_date":"2007-02-08","changelog_url":"https://codex.wordpress.org/Version_2.0.8","vulnerabilities":[{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.7":{"release_date":"2007-01-15","changelog_url":"https://codex.wordpress.org/Version_2.0.7","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.6":{"release_date":"2007-01-05","changelog_url":"https://codex.wordpress.org/Version_2.0.6","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6029,"title":"Wordpress \u003c= 2.0.6 wp-trackback.php Remote SQL Injection Exploit","created_at":"2014-08-01T10:58:32.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"exploitdb":["3109"]},"vuln_type":"SQLI","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.5":{"release_date":"2006-10-27","changelog_url":"https://codex.wordpress.org/Version_2.0.5","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6030,"title":"Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit","created_at":"2014-08-01T10:58:32.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"exploitdb":["3095"]},"vuln_type":"SQLI","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.4":{"release_date":"2006-07-29","changelog_url":"https://codex.wordpress.org/Version_2.0.4","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6031,"title":"WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection ","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/18779/"]},"vuln_type":"SQLI","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.3":{"release_date":"2006-06-01","changelog_url":"https://codex.wordpress.org/Version_2.0.3","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6031,"title":"WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection ","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/18779/"]},"vuln_type":"SQLI","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.2":{"release_date":"2006-03-10","changelog_url":"https://codex.wordpress.org/Version_2.0.2","vulnerabilities":[{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":6032,"title":"WordPress \u003c= 2.0.2 (cache) Remote Shell Injection Exploit","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"exploitdb":["6"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6031,"title":"WordPress 2.0.2 - 2.0.4 Paged Parameter SQL Injection ","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/18779/"]},"vuln_type":"SQLI","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0.1":{"release_date":"2006-01-31","changelog_url":"https://codex.wordpress.org/Version_2.0.1","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2007-5105","2007-5106"]},"vuln_type":"XSS","fixed_in":"2.0.2"},{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"2.0":{"release_date":"2005-12-26","changelog_url":"https://codex.wordpress.org/Version_2.0","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2007-5105","2007-5106"]},"vuln_type":"XSS","fixed_in":"2.0.2"},{"id":6019,"title":"WordPress 2.0 - 2.7.1 admin.php Module Configuration Security Bypass ","created_at":"2014-08-01T10:58:26.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/35584/"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":6009,"title":"WordPress 2.0 - 3.0.1 wp-includes/comment.php Bypass Spam Restrictions","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5293"]},"vuln_type":"BYPASS","fixed_in":"3.0.2"},{"id":6010,"title":"WordPress 2.0 - 3.0.1 Multiple Cross-Site Scripting (XSS) in request_filesystem_credentials()","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5294"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6011,"title":"WordPress 2.0 - 3.0.1 Cross-Site Scripting (XSS) in wp-admin/plugins.php","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5295"]},"vuln_type":"XSS","fixed_in":"3.0.2"},{"id":6012,"title":"WordPress 2.0 - 3.0.1 wp-includes/capabilities.php Remote Authenticated Administrator Delete Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5296"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0.2"},{"id":6013,"title":"WordPress 2.0 - 3.0 Remote Authenticated Administrator Add Action Bypass","created_at":"2014-08-01T10:58:24.000Z","updated_at":"2015-05-15T13:47:22.000Z","published_date":null,"references":{"cve":["2010-5297"]},"vuln_type":"AUTHBYPASS","fixed_in":"3.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"1.5.2":{"release_date":"2005-08-14","changelog_url":"https://codex.wordpress.org/Version_1.5.2","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2007-5105","2007-5106"]},"vuln_type":"XSS","fixed_in":"2.0.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"1.5.1.3":{"release_date":"2005-06-29","changelog_url":"https://codex.wordpress.org/Version_1.5.1.3","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2007-5105","2007-5106"]},"vuln_type":"XSS","fixed_in":"2.0.2"},{"id":6034,"title":"Wordpress \u003c= 1.5.1.3 Remote Code Execution eXploit (metasploit)","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2005-2612"],"secunia":["16386"]},"vuln_type":"RCE","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"1.5.1.2":{"release_date":"2005-05-27","changelog_url":"https://codex.wordpress.org/Version_1.5.1.2","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2007-5105","2007-5106"]},"vuln_type":"XSS","fixed_in":"2.0.2"},{"id":6035,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC SQL Injection","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":"2015-02-03T00:00:00.000Z","references":{"cve":["2005-2108"],"secunia":["15831","15898"],"exploitdb":["1077"]},"vuln_type":"SQLI","fixed_in":"1.5.1.3"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-29T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"vuln_type":"RCE","fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-30T00:00:00.000Z","references":{"cve":["2005-2107"],"secunia":["15831"]},"vuln_type":"XSS","fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-05-07T00:00:00.000Z","references":{"cve":["2005-2109"],"secunia":["15831"]},"vuln_type":"BYPASS","fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"1.5.1.1":{"release_date":"2005-05-09","changelog_url":"https://codex.wordpress.org/index.php?title=Version_1.5.1.1\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2007-5105","2007-5106"]},"vuln_type":"XSS","fixed_in":"2.0.2"},{"id":6036,"title":"WordPress \u003c= 1.5.1.1 \"add new admin\" SQL Injection Exploit","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"exploitdb":["1059"]},"vuln_type":"SQLI","fixed_in":null},{"id":6037,"title":"WordPress \u003c= 1.5.1.1 SQL Injection Exploit","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"exploitdb":["1033"]},"vuln_type":"SQLI","fixed_in":null},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":7615,"title":"WordPress 1.5 \u0026 1.5.1.1 - SQL Injection","created_at":"2014-09-27T13:44:45.000Z","updated_at":"2015-05-15T13:49:05.000Z","published_date":"2005-01-06T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/13809/"],"cve":["2005-1810"]},"vuln_type":"SQLI","fixed_in":"1.5.1.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-29T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"vuln_type":"RCE","fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-30T00:00:00.000Z","references":{"cve":["2005-2107"],"secunia":["15831"]},"vuln_type":"XSS","fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-05-07T00:00:00.000Z","references":{"cve":["2005-2109"],"secunia":["15831"]},"vuln_type":"BYPASS","fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"1.5.1":{"release_date":"2005-05-09","changelog_url":"https://codex.wordpress.org/Version_1.5.1","vulnerabilities":[{"id":6033,"title":"Wordpress 1.5.1 - 2.0.2 wp-register.php Multiple Parameter XSS","created_at":"2014-08-01T10:58:33.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2007-5105","2007-5106"]},"vuln_type":"XSS","fixed_in":"2.0.2"},{"id":5988,"title":"WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["https://github.com/FireFart/WordpressPingbackPortScanner"],"cve":["2013-0235"]},"vuln_type":"SSRF","fixed_in":"3.5.1"},{"id":5989,"title":"WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues","created_at":"2014-08-01T10:58:20.000Z","updated_at":"2015-05-15T13:47:21.000Z","published_date":null,"references":{"url":["http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html"]},"vuln_type":"SSRF","fixed_in":null},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-29T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"vuln_type":"RCE","fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-30T00:00:00.000Z","references":{"cve":["2005-2107"],"secunia":["15831"]},"vuln_type":"XSS","fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-05-07T00:00:00.000Z","references":{"cve":["2005-2109"],"secunia":["15831"]},"vuln_type":"BYPASS","fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"1.5":{"release_date":"2005-02-17","changelog_url":"https://codex.wordpress.org/Version_1.5","vulnerabilities":[{"id":6038,"title":"WordPress 1.5 wp-trackback.php tb_id Parameter SQL Injection","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2015-05-15T13:47:23.000Z","published_date":null,"references":{"cve":["2005-1687"]},"vuln_type":"SQLI","fixed_in":"1.5.1"},{"id":6039,"title":"WordPress \u003c= 1.5 Multiple Vulnerabilities (XSS, SQLi)","created_at":"2014-08-01T10:58:34.000Z","updated_at":"2015-05-15T13:47:24.000Z","published_date":null,"references":{"cve":["2005-1687","2005-1688"],"secunia":["15324"]},"vuln_type":"MULTI","fixed_in":"1.5.1"},{"id":6042,"title":"WordPress 1.5 template-functions-post.php Multiple Field XSS","created_at":"2014-08-01T10:58:35.000Z","updated_at":"2015-05-15T13:47:24.000Z","published_date":null,"references":{"cve":["2005-1102"]},"vuln_type":"XSS","fixed_in":null},{"id":7615,"title":"WordPress 1.5 \u0026 1.5.1.1 - SQL Injection","created_at":"2014-09-27T13:44:45.000Z","updated_at":"2015-05-15T13:49:05.000Z","published_date":"2005-01-06T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/13809/"],"cve":["2005-1810"]},"vuln_type":"SQLI","fixed_in":"1.5.1.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-29T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"vuln_type":"RCE","fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-30T00:00:00.000Z","references":{"cve":["2005-2107"],"secunia":["15831"]},"vuln_type":"XSS","fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-05-07T00:00:00.000Z","references":{"cve":["2005-2109"],"secunia":["15831"]},"vuln_type":"BYPASS","fixed_in":null},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"}]},"3.6.1":{"release_date":"2013-09-11","changelog_url":"https://codex.wordpress.org/Version_3.6.1","vulnerabilities":[{"id":7526,"title":"WordPress 3.5 - 3.7.1 XML-RPC DoS","created_at":"2014-08-27T11:32:03.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/","http://www.breaksec.com/?p=6362"]},"vuln_type":"DOS","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.7.2"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"}]},"3.9":{"release_date":"2014-04-16","changelog_url":"https://codex.wordpress.org/Version_3.9","vulnerabilities":[{"id":7527,"title":" WordPress 3.9 \u0026 3.9.1 Unlikely Code Execution","created_at":"2014-09-16T17:10:42.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29389"],"cve":["2014-5203"]},"vuln_type":"RCE","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7697,"title":"WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists","created_at":"2014-11-30T19:09:16.000Z","updated_at":"2015-05-15T13:49:11.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/30422"],"cve":["2014-9032"]},"vuln_type":"XSS","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2015-08-05T10:03:39.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"3.9.1":{"release_date":"2014-05-08","changelog_url":"https://codex.wordpress.org/Version_3.9.1","vulnerabilities":[{"id":7527,"title":" WordPress 3.9 \u0026 3.9.1 Unlikely Code Execution","created_at":"2014-09-16T17:10:42.000Z","updated_at":"2015-05-15T13:48:58.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29389"],"cve":["2014-5203"]},"vuln_type":"RCE","fixed_in":"3.9.2"},{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7697,"title":"WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists","created_at":"2014-11-30T19:09:16.000Z","updated_at":"2015-05-15T13:49:11.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/30422"],"cve":["2014-9032"]},"vuln_type":"XSS","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"3.7":{"release_date":"2013-10-24","changelog_url":"https://codex.wordpress.org/Version_3.7","vulnerabilities":[{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.2":{"release_date":"2014-04-08","changelog_url":"https://codex.wordpress.org/Version_3.8.2","vulnerabilities":[{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.8.3":{"release_date":"2014-04-14","changelog_url":"https://codex.wordpress.org/Version_3.8.3","vulnerabilities":[{"id":7528,"title":"WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing","created_at":"2014-09-16T18:06:10.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29384","https://core.trac.wordpress.org/changeset/29408"],"cve":["2014-5204","2014-5205"]},"vuln_type":"CSRF","fixed_in":"3.9.2"},{"id":7529,"title":"WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite","created_at":"2014-09-16T18:15:20.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/29398"],"cve":["2014-5240"]},"vuln_type":"XSS","fixed_in":"3.9.2"},{"id":7530,"title":"WordPress 3.6 - 3.9.1 XXE in GetID3 Library","created_at":"2014-09-16T18:19:44.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc","http://getid3.sourceforge.net/","http://wordpress.org/news/2014/08/wordpress-3-9-2/","http://lab.onsec.ru/2014/09/wordpress-392-xxe-through-media-upload.html","https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav"],"cve":["2014-2053"]},"vuln_type":"XXE","fixed_in":"3.9.2"},{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.2":{"release_date":"2014-08-06","changelog_url":"https://codex.wordpress.org/Version_3.9.2","vulnerabilities":[{"id":7531,"title":"WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout","created_at":"2014-09-17T13:32:43.000Z","updated_at":"2015-05-15T13:48:59.000Z","published_date":null,"references":{"url":["http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout","http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html"],"cve":["2012-5868"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.0"},{"id":7680,"title":"WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2014-11-20T19:52:43.000Z","updated_at":"2015-05-15T13:49:09.000Z","published_date":null,"references":{"url":["http://klikki.fi/adv/wordpress.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/","http://klikki.fi/adv/wordpress_update.html"],"cve":["2014-9031"]},"vuln_type":"XSS","fixed_in":"4.0"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7697,"title":"WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists","created_at":"2014-11-30T19:09:16.000Z","updated_at":"2015-05-15T13:49:11.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/30422"],"cve":["2014-9032"]},"vuln_type":"XSS","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7691,"title":"WordPress \u003c= 4.0 - CSRF in wp-login.php Password Reset","created_at":"2014-11-25T22:57:27.000Z","updated_at":"2015-07-12T12:23:17.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/30418"],"cve":["2014-9033"]},"vuln_type":"CSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0":{"release_date":"2014-09-04","changelog_url":"https://codex.wordpress.org/Version_4.0","vulnerabilities":[{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7697,"title":"WordPress 3.9, 3.9.1, 3.9.2, 4.0 - XSS in Media Playlists","created_at":"2014-11-30T19:09:16.000Z","updated_at":"2015-05-15T13:49:11.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/30422"],"cve":["2014-9032"]},"vuln_type":"XSS","fixed_in":"4.0.1"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2015-08-05T10:03:39.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7691,"title":"WordPress \u003c= 4.0 - CSRF in wp-login.php Password Reset","created_at":"2014-11-25T22:57:27.000Z","updated_at":"2015-07-12T12:23:17.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/30418"],"cve":["2014-9033"]},"vuln_type":"CSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.0.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"1.2":{"release_date":"2004-05-22","changelog_url":"https://codex.wordpress.org/Version_1.2","vulnerabilities":[{"id":7613,"title":"WordPress 1.2-1.2.1 - Multiple Cross-Site Scripting (XSS)","created_at":"2014-09-27T13:35:32.000Z","updated_at":"2015-05-15T13:49:05.000Z","published_date":"2004-12-31T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/11268/"],"cve":["2004-1559"],"secunia":["12683"]},"vuln_type":"XSS","fixed_in":"1.2.2"},{"id":7614,"title":"WordPress 1.2 - HTTP Response Splitting","created_at":"2014-09-27T13:39:17.000Z","updated_at":"2015-05-15T13:49:05.000Z","published_date":"2004-12-31T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/11348/"],"cve":["2004-1584"],"secunia":["12773"]},"vuln_type":"UNKNOWN","fixed_in":"1.2.1"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-29T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"vuln_type":"RCE","fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-30T00:00:00.000Z","references":{"cve":["2005-2107"],"secunia":["15831"]},"vuln_type":"XSS","fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-05-07T00:00:00.000Z","references":{"cve":["2005-2109"],"secunia":["15831"]},"vuln_type":"BYPASS","fixed_in":null}]},"1.2.1":{"release_date":"2004-10-06","changelog_url":"https://codex.wordpress.org/Version_1.2.1","vulnerabilities":[{"id":7613,"title":"WordPress 1.2-1.2.1 - Multiple Cross-Site Scripting (XSS)","created_at":"2014-09-27T13:35:32.000Z","updated_at":"2015-05-15T13:49:05.000Z","published_date":"2004-12-31T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/11268/"],"cve":["2004-1559"],"secunia":["12683"]},"vuln_type":"XSS","fixed_in":"1.2.2"},{"id":7681,"title":"WordPress \u003c= 4.0 - Long Password Denial of Service (DoS)","created_at":"2014-11-20T20:02:12.000Z","updated_at":"2015-05-15T13:55:18.000Z","published_date":null,"references":{"url":["http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html","https://wordpress.org/news/2014/11/wordpress-4-0-1/"],"cve":["2014-9034"],"exploitdb":["35413","35414"],"metasploit":["auxiliary/dos/http/wordpress_long_password_dos"]},"vuln_type":"DOS","fixed_in":"4.0.1"},{"id":7696,"title":"WordPress \u003c= 4.0 - Server Side Request Forgery (SSRF)","created_at":"2014-11-30T19:02:31.000Z","updated_at":"2015-05-15T13:49:10.000Z","published_date":null,"references":{"url":["http://www.securityfocus.com/bid/71234/","https://core.trac.wordpress.org/changeset/30444"],"cve":["2014-9038"]},"vuln_type":"SSRF","fixed_in":"4.0.1"},{"id":7765,"title":"WordPress \u003c= 1.5.1.2 - XMLRPC Eval Injection ","created_at":"2015-01-23T13:27:24.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-29T00:00:00.000Z","references":{"url":["http://www.securityfocus.com/bid/14088/"],"cve":["2005-1921"]},"vuln_type":"RCE","fixed_in":null},{"id":7766,"title":"WordPress \u003c= 1.5.1.2 - Multiple Cross-Site Scripting (XSS)","created_at":"2015-01-23T13:31:23.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-06-30T00:00:00.000Z","references":{"cve":["2005-2107"],"secunia":["15831"]},"vuln_type":"XSS","fixed_in":null},{"id":7767,"title":"WordPress \u003c= 1.5.1.2 - Email Spoofing","created_at":"2015-01-23T13:46:50.000Z","updated_at":"2015-05-15T13:49:15.000Z","published_date":"2005-05-07T00:00:00.000Z","references":{"cve":["2005-2109"],"secunia":["15831"]},"vuln_type":"BYPASS","fixed_in":null}]},"0.70":{"release_date":"2003-05-27","changelog_url":"https://codex.wordpress.org/Version_0.70","vulnerabilities":[{"id":7815,"title":"WordPress 0.7 - SQL Injection","created_at":"2015-03-01T11:34:31.000Z","updated_at":"2015-05-15T13:49:19.000Z","published_date":"2003-06-02T00:00:00.000Z","references":{"url":["http://www.kernelpanik.org/docs/kernelpanik/wordpressadv.txt"],"cve":["2003-1598"]},"vuln_type":"SQLI","fixed_in":"0.72"}]},"4.1":{"release_date":"2014-12-17","changelog_url":"https://codex.wordpress.org/Version_4.1","vulnerabilities":[{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2015-08-05T10:03:39.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2017-06-12T10:17:05.000Z","published_date":"2015-05-05T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"vuln_type":"XSS","fixed_in":"4.1.5"},{"id":8043,"title":"WordPress 4.1 - 4.1.1 - Arbitrary File Upload","created_at":"2015-06-11T07:50:28.000Z","updated_at":"2015-06-29T15:28:44.000Z","published_date":"2015-06-10T00:00:00.000Z","references":{"url":["http://www.openwall.com/lists/oss-security/2015/06/10/11","https://core.trac.wordpress.org/changeset/32172"]},"vuln_type":"UPLOAD","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.1.1":{"release_date":"2015-02-18","changelog_url":"https://codex.wordpress.org/Version_4.1.1","vulnerabilities":[{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2015-08-05T10:03:39.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7945,"title":"WordPress \u003c= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-27T06:51:01.000Z","updated_at":"2015-05-15T13:49:27.000Z","published_date":"2015-04-26T00:00:00.000Z","references":{"url":["http://klikki.fi/adv/wordpress2.html","http://packetstormsecurity.com/files/131644/"],"exploitdb":["36844"]},"vuln_type":"XSS","fixed_in":"4.2.1"},{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2017-06-12T10:17:05.000Z","published_date":"2015-05-05T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"vuln_type":"XSS","fixed_in":"4.1.5"},{"id":8043,"title":"WordPress 4.1 - 4.1.1 - Arbitrary File Upload","created_at":"2015-06-11T07:50:28.000Z","updated_at":"2015-06-29T15:28:44.000Z","published_date":"2015-06-10T00:00:00.000Z","references":{"url":["http://www.openwall.com/lists/oss-security/2015/06/10/11","https://core.trac.wordpress.org/changeset/32172"]},"vuln_type":"UPLOAD","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_4.2","vulnerabilities":[{"id":7945,"title":"WordPress \u003c= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-27T06:51:01.000Z","updated_at":"2015-05-15T13:49:27.000Z","published_date":"2015-04-26T00:00:00.000Z","references":{"url":["http://klikki.fi/adv/wordpress2.html","http://packetstormsecurity.com/files/131644/"],"exploitdb":["36844"]},"vuln_type":"XSS","fixed_in":"4.2.1"},{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2017-06-12T10:17:05.000Z","published_date":"2015-05-05T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"vuln_type":"XSS","fixed_in":"4.2.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.2.4"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.4"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"}]},"3.9.3":{"release_date":"2014-11-20","changelog_url":"https://codex.wordpress.org/Version_3.9.3","vulnerabilities":[{"id":7945,"title":"WordPress \u003c= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-27T06:51:01.000Z","updated_at":"2015-05-15T13:49:27.000Z","published_date":"2015-04-26T00:00:00.000Z","references":{"url":["http://klikki.fi/adv/wordpress2.html","http://packetstormsecurity.com/files/131644/"],"exploitdb":["36844"]},"vuln_type":"XSS","fixed_in":"4.2.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.1.2":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_4.1.2","vulnerabilities":[{"id":7945,"title":"WordPress \u003c= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-27T06:51:01.000Z","updated_at":"2015-05-15T13:49:27.000Z","published_date":"2015-04-26T00:00:00.000Z","references":{"url":["http://klikki.fi/adv/wordpress2.html","http://packetstormsecurity.com/files/131644/"],"exploitdb":["36844"]},"vuln_type":"XSS","fixed_in":"4.2.1"},{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2017-06-12T10:17:05.000Z","published_date":"2015-05-05T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"vuln_type":"XSS","fixed_in":"4.1.5"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.1":{"release_date":"2015-04-27","changelog_url":"https://codex.wordpress.org/Version_4.2.1","vulnerabilities":[{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2017-06-12T10:17:05.000Z","published_date":"2015-05-05T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"vuln_type":"XSS","fixed_in":"4.2.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.2.4"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.4"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"}]},"4.0.1":{"release_date":"2014-11-20","changelog_url":"https://codex.wordpress.org/Version_4.0.1","vulnerabilities":[{"id":7933,"title":"WordPress 3.9-4.1.1 - Same-Origin Method Execution","created_at":"2015-04-22T17:06:43.000Z","updated_at":"2015-08-05T10:03:39.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","http://zoczus.blogspot.fr/2015/04/plupload-same-origin-method-execution.html"],"cve":["2015-3439"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":7929,"title":"WordPress \u003c= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-04-21T15:24:23.000Z","updated_at":"2015-08-05T10:05:27.000Z","published_date":"2015-04-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/04/wordpress-4-1-2/","https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/"],"cve":["2015-3438"]},"vuln_type":"XSS","fixed_in":"4.1.2"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.5":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_4.1.5","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.1.4":{"release_date":"2015-04-27","changelog_url":"https://codex.wordpress.org/Version_4.1.4","vulnerabilities":[{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2017-06-12T10:17:05.000Z","published_date":"2015-05-05T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"vuln_type":"XSS","fixed_in":"4.1.5"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.1.3":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_4.1.3","vulnerabilities":[{"id":7979,"title":"WordPress 4.1-4.2.1 - Unauthenticated Genericons Cross-Site Scripting (XSS)","created_at":"2015-05-11T09:36:36.000Z","updated_at":"2017-06-12T10:17:05.000Z","published_date":"2015-05-05T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.2.2"]},"vuln_type":"XSS","fixed_in":"4.1.5"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.1.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"3.8.4":{"release_date":"2014-08-06","changelog_url":"https://codex.wordpress.org/Version_3.8.4","vulnerabilities":[{"id":7691,"title":"WordPress \u003c= 4.0 - CSRF in wp-login.php Password Reset","created_at":"2014-11-25T22:57:27.000Z","updated_at":"2015-07-12T12:23:17.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/30418"],"cve":["2014-9033"]},"vuln_type":"CSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.7.4":{"release_date":"2014-08-06","changelog_url":"https://codex.wordpress.org/Version_3.7.4","vulnerabilities":[{"id":7691,"title":"WordPress \u003c= 4.0 - CSRF in wp-login.php Password Reset","created_at":"2014-11-25T22:57:27.000Z","updated_at":"2015-07-12T12:23:17.000Z","published_date":null,"references":{"url":["https://core.trac.wordpress.org/changeset/30418"],"cve":["2014-9033"]},"vuln_type":"CSRF","fixed_in":"4.0.1"},{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"4.2.3":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_4.2.3","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.2.4"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.4"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"3.8.8":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_3.8.8","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.8.5":{"release_date":"2014-11-20","changelog_url":"https://codex.wordpress.org/Version_3.8.5","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.8.6":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_3.8.6","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.8.7":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_3.8.7","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.8.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"0.71":{"release_date":"2003-06-09","changelog_url":"https://codex.wordpress.org/Version_0.71","vulnerabilities":[]},"0.711":{"release_date":"2003-06-25","changelog_url":"https://codex.wordpress.org/Version_0.711","vulnerabilities":[]},"0.72":{"release_date":"2003-10-11","changelog_url":"https://codex.wordpress.org/Version_0.72","vulnerabilities":[]},"1.0":{"release_date":"2004-01-03","changelog_url":"https://codex.wordpress.org/Version_1.0","vulnerabilities":[]},"1.0.1":{"release_date":"2004-01-25","changelog_url":"https://codex.wordpress.org/Version_1.0.1","vulnerabilities":[]},"1.0.2":{"release_date":"2004-03-11","changelog_url":"https://codex.wordpress.org/Version_1.0.2","vulnerabilities":[]},"1.2.2":{"release_date":"2004-12-15","changelog_url":"https://codex.wordpress.org/Version_1.2.2","vulnerabilities":[]},"3.7.2":{"release_date":"2014-04-08","changelog_url":"https://codex.wordpress.org/Version_3.7.2","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.7.3":{"release_date":"2014-04-14","changelog_url":"https://codex.wordpress.org/Version_3.7.3","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.7.5":{"release_date":"2014-11-20","changelog_url":"https://codex.wordpress.org/Version_3.7.5","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.7.6":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_3.7.6","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.7.7":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_3.7.7","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.7.8":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_3.7.8","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.7.9"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.7.9":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_3.7.9","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.7.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.9":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_3.8.9","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.8.10"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.10"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.8.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.4":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_3.9.4","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"3.9.5":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/index.php?title=Version_3.9.5\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"3.9.6":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_3.9.6","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"3.9.7"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"3.9.7":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_3.9.7","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"3.9.8"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.8"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.9.8"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.2":{"release_date":"2015-04-21","changelog_url":"https://codex.wordpress.org/Version_4.0.2","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.0.3":{"release_date":"2015-04-23","changelog_url":"https://codex.wordpress.org/Version_4.0.3","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.0.4":{"release_date":"2015-04-27","changelog_url":"https://codex.wordpress.org/Version_4.0.4","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.0.5":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_4.0.5","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.0.6"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.0.6":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_4.0.6","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.0.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.0.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.6":{"release_date":"2015-07-23","changelog_url":"https://codex.wordpress.org/Version_4.1.6","vulnerabilities":[{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.1.7"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.7"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.1.7"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.2":{"release_date":"2015-05-07","changelog_url":"https://codex.wordpress.org/Version_4.2.2","vulnerabilities":[{"id":8111,"title":"WordPress \u003c= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)","created_at":"2015-07-23T18:55:36.000Z","updated_at":"2015-08-03T14:45:36.000Z","published_date":"2015-07-23T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/07/wordpress-4-2-3/","https://twitter.com/klikkioy/status/624264122570526720","https://klikki.fi/adv/wordpress3.html"],"cve":["2015-5622","2015-5623"]},"vuln_type":"XSS","fixed_in":"4.2.3"},{"id":8126,"title":"WordPress \u003c= 4.2.3 - wp_untrash_post_comments SQL Injection ","created_at":"2015-08-04T12:36:30.000Z","updated_at":"2015-08-04T21:58:40.000Z","published_date":"2015-08-04T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/70128fe7605cb963a46815cf91b0a5934f70eff5"],"cve":["2015-2213"]},"vuln_type":"SQLI","fixed_in":"4.2.4"},{"id":8130,"title":"WordPress \u003c= 4.2.3 - Timing Side Channel Attack","created_at":"2015-08-05T08:03:39.000Z","updated_at":"2015-08-05T08:16:33.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33536"],"cve":["2015-5730"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.4"},{"id":8131,"title":"WordPress \u003c= 4.2.3 - Widgets Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:18:48.000Z","updated_at":"2015-08-05T08:23:42.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33529"],"cve":["2015-5732"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"4.2.4"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"}]},"4.2.4":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_4.2.4","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.2.5"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.2.5"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.1.7":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_4.1.7","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.1.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.1.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.0.7":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_4.0.7","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.0.8"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.0.8"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"3.9.8":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_3.9.8","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.9.9"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.9.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"3.8.10":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_3.8.10","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.8.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.8.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.7.10":{"release_date":"2015-08-04","changelog_url":"https://codex.wordpress.org/Version_3.7.10","vulnerabilities":[{"id":8132,"title":"WordPress \u003c= 4.2.3 - Nav Menu Title Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:25:42.000Z","updated_at":"2015-08-05T19:06:57.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33541"],"cve":["2015-5733"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8133,"title":"WordPress \u003c= 4.2.3 - Legacy Theme Preview Cross-Site Scripting (XSS)","created_at":"2015-08-05T08:31:47.000Z","updated_at":"2015-08-11T19:20:45.000Z","published_date":"2015-08-05T00:00:00.000Z","references":{"url":["https://core.trac.wordpress.org/changeset/33549","https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html"],"cve":["2015-5734"]},"vuln_type":"XSS","fixed_in":"3.7.10"},{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"3.7.11"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"3.7.11"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"4.3":{"release_date":"2015-08-18","changelog_url":"https://codex.wordpress.org/Version_4.3","vulnerabilities":[{"id":8186,"title":"WordPress \u003c= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:27:07.000Z","updated_at":"2015-09-21T12:58:32.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5714"]},"vuln_type":"XSS","fixed_in":"4.3.1"},{"id":8187,"title":"WordPress \u003c= 4.3 - User List Table Cross-Site Scripting (XSS)","created_at":"2015-09-15T15:30:07.000Z","updated_at":"2015-10-28T07:31:15.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"],"cve":["2015-7989"]},"vuln_type":"XSS","fixed_in":"4.3.1"},{"id":8188,"title":"WordPress \u003c= 4.3 - Publish Post \u0026 Mark as Sticky Permission Issue","created_at":"2015-09-15T15:33:45.000Z","updated_at":"2015-09-21T13:00:02.000Z","published_date":"2015-09-15T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2015/09/wordpress-4-3-1/","http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/","http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"],"cve":["2015-5715"]},"vuln_type":"BYPASS","fixed_in":"4.3.1"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.3.2"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.3.3"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.3.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.3.4"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.3.1":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_4.3.1","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.3.2"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.3.2"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.3.3"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.3.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.3.4"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.2.5":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_4.2.5","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.2.6"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.2.6"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.1.8":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_4.1.8","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.1.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.0.8":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_4.0.8","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.0.9"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"3.9.9":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_3.9.9","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.9.10"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"3.8.11":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_3.8.11","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.8.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.7.11":{"release_date":"2015-09-15","changelog_url":"https://codex.wordpress.org/Version_3.7.11","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"3.7.12"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"4.4":{"release_date":"2015-12-08","changelog_url":"https://codex.wordpress.org/Version_4.4","vulnerabilities":[{"id":8358,"title":"WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)","created_at":"2016-01-06T20:22:45.000Z","updated_at":"2016-11-22T20:37:44.000Z","published_date":"2016-01-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"],"cve":["2016-1564"]},"vuln_type":"XSS","fixed_in":"4.4.1"},{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.4.2"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.4.2"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.4.3"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.4.4"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.4"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.4.4"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"3.7.12":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_3.7.12","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.7.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.7.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.12":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_3.8.12","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.8.13"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.8.13"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.10":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_3.9.10","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"3.9.11"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"3.9.11"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.9":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.0.9","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.0.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.9":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.1.9","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.1.10"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.1.10"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.6":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.2.6","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.2.7"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.2.7"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.2":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.3.2","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.3.3"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.3.3"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.3.4"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.1":{"release_date":"2016-01-06","changelog_url":"https://codex.wordpress.org/Version_4.4.1","vulnerabilities":[{"id":8376,"title":"WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)","created_at":"2016-02-02T19:38:13.000Z","updated_at":"2016-04-28T17:17:46.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36435","https://hackerone.com/reports/110801"],"cve":["2016-2222"]},"vuln_type":"SSRF","fixed_in":"4.4.2"},{"id":8377,"title":"WordPress 3.7-4.4.1 - Open Redirect","created_at":"2016-02-02T19:39:51.000Z","updated_at":"2016-02-05T20:06:48.000Z","published_date":"2016-02-02T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/36444"],"cve":["2016-2221"]},"vuln_type":"REDIRECT","fixed_in":"4.4.2"},{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.4.3"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.4.4"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.4"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.4.4"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.4.2":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.4.2","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.4.3"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.4.4"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.4"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.4.4"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.3.3":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.3.3","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.3.4"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.2.7":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.2.7","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.2.8"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.1.10":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.1.10","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.1.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.0.10":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_4.0.10","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.0.11"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"3.9.11":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_3.9.11","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.9.12"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"3.8.13":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_3.8.13","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.8.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.7.13":{"release_date":"2016-02-02","changelog_url":"https://codex.wordpress.org/Version_3.7.13","vulnerabilities":[{"id":8473,"title":"WordPress \u003c= 4.4.2 - SSRF Bypass using Octal \u0026 Hexedecimal IP addresses","created_at":"2016-04-28T16:55:34.000Z","updated_at":"2016-08-12T11:13:00.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049"],"cve":["2016-4029"]},"vuln_type":"SSRF","fixed_in":"4.5"},{"id":8474,"title":"WordPress \u003c= 4.4.2 - Reflected XSS in Network Settings","created_at":"2016-04-28T17:07:15.000Z","updated_at":"2016-08-12T11:13:34.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5","https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9"],"cve":["2016-6634"]},"vuln_type":"XSS","fixed_in":"4.5"},{"id":8475,"title":"WordPress \u003c= 4.4.2 - Script Compression Option CSRF","created_at":"2016-04-28T17:21:53.000Z","updated_at":"2016-08-12T11:14:05.000Z","published_date":"2016-04-12T00:00:00.000Z","references":{"url":["https://codex.wordpress.org/Version_4.5"],"cve":["2016-6635"]},"vuln_type":"CSRF","fixed_in":"4.5"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"3.7.14"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"4.5":{"release_date":"2016-04-12","changelog_url":"https://codex.wordpress.org/Version_4.5","vulnerabilities":[{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.5.3"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.5.4"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.5.4"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.7.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"4.5.1":{"release_date":"2016-04-26","changelog_url":"https://codex.wordpress.org/Version_4.5.1","vulnerabilities":[{"id":8488,"title":"WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)","created_at":"2016-05-06T19:26:47.000Z","updated_at":"2016-05-11T19:18:04.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/a493dc0ab5819c8b831173185f1334b7c3e02e36","https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c"],"cve":["2016-4567"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8489,"title":"WordPress \u003c= 4.5.1 - Pupload Same Origin Method Execution (SOME)","created_at":"2016-05-06T19:32:55.000Z","updated_at":"2016-06-02T10:12:19.000Z","published_date":"2016-05-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/05/wordpress-4-5-2/","https://github.com/WordPress/WordPress/commit/c33e975f46a18f5ad611cf7e7c24398948cecef8","https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e","http://avlidienbrunn.com/wp_some_loader.php"],"cve":["2016-4566"]},"vuln_type":"XSS","fixed_in":"4.5.2"},{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.5.3"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.5.4"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.5.4"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.5.5"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"3.7.14":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_3.7.14","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.7.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.14":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_3.8.14","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.15"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.8.15"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.12":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_3.9.12","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.13"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"3.9.13"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.11":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.0.11","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.0.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.11":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.1.11","vulnerabilities":[{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.12"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.1.12"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.8":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.2.8","vulnerabilities":[{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.2.9"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.9"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.2.9"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.4":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.3.4","vulnerabilities":[{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.3.5"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.5"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.3.5"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.3":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.4.3","vulnerabilities":[{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.4.4"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.4"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.4.4"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.5.2":{"release_date":"2016-05-06","changelog_url":"https://codex.wordpress.org/Version_4.5.2","vulnerabilities":[{"id":8518,"title":"WordPress 4.2-4.5.2 - Authenticated Attachment Name Stored XSS","created_at":"2016-06-21T20:23:21.000Z","updated_at":"2016-06-29T14:10:07.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648"],"cve":["2016-5833","2016-5834"]},"vuln_type":"XSS","fixed_in":"4.5.3"},{"id":8519,"title":"WordPress 3.6-4.5.2 - Authenticated Revision History Information Disclosure","created_at":"2016-06-21T20:32:27.000Z","updated_at":"2016-06-29T14:10:39.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1","https://www.wordfence.com/blog/2016/06/wordpress-core-vulnerability-bypass-password-protected-posts/"],"cve":["2016-5835"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.3"},{"id":8520,"title":"WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post","created_at":"2016-06-21T20:43:58.000Z","updated_at":"2016-06-29T14:11:36.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/","https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c"],"cve":["2016-5837"]},"vuln_type":"BYPASS","fixed_in":"4.5.3"},{"id":8522,"title":"WordPress 4.5.2 - Redirect Bypass","created_at":"2016-06-22T18:43:41.000Z","updated_at":"2016-06-29T14:08:44.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/"],"cve":["2016-5832"]},"vuln_type":"REDIRECT","fixed_in":"4.5.3"},{"id":8523,"title":"WordPress 4.5.2 - oEmbed Denial of Service (DoS)","created_at":"2016-06-22T18:44:38.000Z","updated_at":"2016-06-29T14:11:03.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/"],"cve":["2016-5836"]},"vuln_type":"DOS","fixed_in":"4.5.3"},{"id":8524,"title":"WordPress 4.5.2 - Password Change via Stolen Cookie","created_at":"2016-06-22T18:45:24.000Z","updated_at":"2016-06-29T14:12:02.000Z","published_date":"2016-06-21T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/06/wordpress-4-5-3/"],"cve":["2016-5838"]},"vuln_type":"AUTHBYPASS","fixed_in":"4.5.3"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.5.4"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.5.4"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.5.5"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"4.5.3":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.5.3","vulnerabilities":[{"id":8606,"title":"WordPress 4.5.3 - Authenticated Denial of Service (DoS)","created_at":"2016-08-20T15:37:21.000Z","updated_at":"2016-08-29T08:05:20.000Z","published_date":"2016-08-20T00:00:00.000Z","references":{"url":["http://seclists.org/fulldisclosure/2016/Aug/98","https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html","https://core.trac.wordpress.org/ticket/37490"],"cve":["2016-6896","2016-6897"]},"vuln_type":"DOS","fixed_in":"4.6"},{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.5.4"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.5.4"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.5.5"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"3.7.15":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_3.7.15","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.7.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.7.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.15":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_3.8.15","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.8.16"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.8.16"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.13":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_3.9.13","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"3.9.14"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"3.9.14"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.12":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.0.12","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.0.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.0.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.12":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.1.12","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.1.13"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.1.13"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.9":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.2.9","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.2.10"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.2.10"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.5":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.3.5","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.3.6"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.3.6"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.4":{"release_date":"2016-06-21","changelog_url":"https://codex.wordpress.org/Version_4.4.4","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.4.5"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.4.5"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.6":{"release_date":"2016-08-16","changelog_url":"https://codex.wordpress.org/Version_4.6","vulnerabilities":[{"id":8615,"title":"WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename","created_at":"2016-09-08T07:50:24.000Z","updated_at":"2016-09-09T07:26:31.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0","https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html","http://seclists.org/fulldisclosure/2016/Sep/6"],"cve":["2016-7168"]},"vuln_type":"XSS","fixed_in":"4.6.1"},{"id":8616,"title":"WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader","created_at":"2016-09-08T08:02:21.000Z","updated_at":"2016-09-09T07:31:43.000Z","published_date":"2016-09-07T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e"],"cve":["2016-7169"]},"vuln_type":"LFI","fixed_in":"4.6.1"},{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.7.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.6.2"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.6.2"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.6.2"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.6.2"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.6.2"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.6.3"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.6.3"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.6.3"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.6.4"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.6.4"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.6.4"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.6.4"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.6.7"}]},"3.7.16":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_3.7.16","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.7.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.16":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_3.8.16","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.8.17"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.8.17"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.8.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.14":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_3.9.14","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"3.9.15"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"3.9.15"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"3.9.15"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.13":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.0.13","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.0.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.0.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.0.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.13":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.1.13","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.1.14"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.1.14"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.1.14"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.10":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.2.10","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.2.11"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.2.11"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.2.11"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.6":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.3.6","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.3.7"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.3.7"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.3.7"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.5":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.4.5","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.4.6"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.4.6"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.4.6"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.5.4":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.5.4","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.5.5"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.5.5"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.5.5"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"4.6.1":{"release_date":"2016-09-07","changelog_url":"https://codex.wordpress.org/Version_4.6.1","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.6.2"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.6.2"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.6.2"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.6.2"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.6.2"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.6.2"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.6.3"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.6.3"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.6.3"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.6.4"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.6.4"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.6.4"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.6.4"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.6.7"}]},"4.7":{"release_date":"2016-12-06","changelog_url":"https://codex.wordpress.org/Version_4.7","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.7.1"},{"id":8715,"title":"WordPress 4.7 - User Information Disclosure via REST API","created_at":"2017-01-12T08:45:07.000Z","updated_at":"2017-01-16T08:44:00.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/wordfence-blocks-username-harvesting-via-new-rest-api-wp-4-7/","https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5487"]},"vuln_type":"BYPASS","fixed_in":"4.7.1"},{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8717,"title":"WordPress \u003c= 4.7 - Cross-Site Request Forgery (CSRF) via Flash Upload","created_at":"2017-01-12T09:02:41.000Z","updated_at":"2017-06-22T09:49:21.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5489"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8718,"title":"WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback","created_at":"2017-01-12T09:13:08.000Z","updated_at":"2017-01-19T15:16:57.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.mehmetince.net/low-severity-wordpress/","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359"],"cve":["2017-5490"]},"vuln_type":"XSS","fixed_in":"4.7.1"},{"id":8719,"title":"WordPress \u003c= 4.7 - Post via Email Checks mail.example.com by Default","created_at":"2017-01-12T09:22:16.000Z","updated_at":"2017-01-19T15:25:03.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5491"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8720,"title":"WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)","created_at":"2017-01-12T09:28:43.000Z","updated_at":"2017-01-19T15:30:20.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5492"]},"vuln_type":"CSRF","fixed_in":"4.7.1"},{"id":8721,"title":"WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)","created_at":"2017-01-12T09:35:40.000Z","updated_at":"2017-01-19T15:35:33.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5493"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.1"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.7.2"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.7.2"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.7.2"},{"id":8734,"title":"WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API","created_at":"2017-02-01T16:15:01.000Z","updated_at":"2017-02-10T22:22:03.000Z","published_date":"2017-02-01T00:00:00.000Z","references":{"url":["https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html","https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html","https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab","https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7"],"metasploit":["auxiliary/scanner/http/wordpress_content_injection"]},"vuln_type":"BYPASS","fixed_in":"4.7.2"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8767,"title":"WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete","created_at":"2017-03-07T08:54:07.000Z","updated_at":"2017-03-15T09:41:27.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663"],"cve":["2017-6816"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.3"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8769,"title":"WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names","created_at":"2017-03-07T09:30:32.000Z","updated_at":"2017-03-15T09:43:06.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9"],"cve":["2017-6818"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2017-09-26T11:48:53.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.7.6"}]},"3.7.17":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_3.7.17","vulnerabilities":[{"id":8716,"title":"WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php","created_at":"2017-01-12T08:55:00.000Z","updated_at":"2017-01-16T09:01:41.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/"],"cve":["2017-5488"]},"vuln_type":"XSS","fixed_in":"3.7.17"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.7.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.17":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_3.8.17","vulnerabilities":[{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.8.18"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.15":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_3.9.15","vulnerabilities":[{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"3.9.16"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.14":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.0.14","vulnerabilities":[{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.0.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.14":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.1.14","vulnerabilities":[{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.1.15"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.11":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.2.11","vulnerabilities":[{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.2.12"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.2.12"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.7":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.3.7","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.3.7"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.3.8"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.3.8"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.3.8"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.6":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.4.6","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.4.6"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.4.7"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.4.7"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.4.7"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.5.5":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.5.5","vulnerabilities":[{"id":8714,"title":"WordPress 4.3-4.7 - Remote Code Execution (RCE) in PHPMailer","created_at":"2017-01-12T08:39:27.000Z","updated_at":"2017-05-17T13:02:42.000Z","published_date":"2017-01-11T00:00:00.000Z","references":{"url":["https://www.wordfence.com/blog/2016/12/phpmailer-vulnerability/","https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities","https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/24767c76d359231642b0ab48437b64e8c6c7f491","http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html"],"metasploit":["exploit/unix/webapp/wp_phpmailer_host_header"]},"vuln_type":"RCE","fixed_in":"4.5.5"},{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.5.6"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.5.6"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.5.6"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"4.7.1":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.7.1","vulnerabilities":[{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.7.2"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.7.2"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.7.2"},{"id":8734,"title":"WordPress 4.7.0-4.7.1 - Unauthenticated Page/Post Content Modification via REST API","created_at":"2017-02-01T16:15:01.000Z","updated_at":"2017-02-10T22:22:03.000Z","published_date":"2017-02-01T00:00:00.000Z","references":{"url":["https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html","https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html","https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab","https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7"],"metasploit":["auxiliary/scanner/http/wordpress_content_injection"]},"vuln_type":"BYPASS","fixed_in":"4.7.2"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8767,"title":"WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete","created_at":"2017-03-07T08:54:07.000Z","updated_at":"2017-03-15T09:41:27.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663"],"cve":["2017-6816"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.3"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8769,"title":"WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names","created_at":"2017-03-07T09:30:32.000Z","updated_at":"2017-03-15T09:43:06.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9"],"cve":["2017-6818"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2017-09-26T11:48:53.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.7.6"}]},"4.6.2":{"release_date":"2017-01-11","changelog_url":"https://codex.wordpress.org/Version_4.6.2","vulnerabilities":[{"id":8729,"title":"WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users","created_at":"2017-01-26T19:47:36.000Z","updated_at":"2017-01-30T08:05:35.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454"],"cve":["2017-5610"]},"vuln_type":"BYPASS","fixed_in":"4.6.3"},{"id":8730,"title":"WordPress 3.5-4.7.1 - WP_Query SQL Injection","created_at":"2017-01-26T19:55:49.000Z","updated_at":"2017-01-30T08:10:34.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb"],"cve":["2017-5611"]},"vuln_type":"SQLI","fixed_in":"4.6.3"},{"id":8731,"title":"WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table","created_at":"2017-01-26T20:03:21.000Z","updated_at":"2017-01-30T08:03:48.000Z","published_date":"2017-01-26T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/","https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849"],"cve":["2017-5612"]},"vuln_type":"XSS","fixed_in":"4.6.3"},{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.6.4"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.6.4"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.6.4"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.6.4"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.6.7"}]},"3.7.18":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_3.7.18","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.7.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.7.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.18":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_3.8.18","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.8.19"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.8.19"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.16":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_3.9.16","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"3.9.17"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"3.9.17"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.15":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.0.15","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.0.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.0.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.15":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.1.15","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.1.16"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.1.16"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.12":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.2.12","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.2.13"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.2.13"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.2.13"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.8":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.3.8","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.3.9"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.3.9"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.3.9"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.7":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.4.7","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.4.8"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.4.8"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.4.8"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.5.6":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.5.6","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.5.7"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.5.7"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.5.7"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"4.6.3":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.6.3","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.6.4"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.6.4"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.6.4"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.6.4"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.6.7"}]},"4.7.2":{"release_date":"2017-01-26","changelog_url":"https://codex.wordpress.org/Version_4.7.2","vulnerabilities":[{"id":8765,"title":"WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata","created_at":"2017-03-07T08:42:48.000Z","updated_at":"2017-03-15T09:40:32.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7","https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html","http://seclists.org/oss-sec/2017/q1/563"],"cve":["2017-6814"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8766,"title":"WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation","created_at":"2017-03-07T08:47:17.000Z","updated_at":"2017-03-15T09:41:07.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e"],"cve":["2017-6815"]},"vuln_type":"BYPASS","fixed_in":"4.7.3"},{"id":8767,"title":"WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete","created_at":"2017-03-07T08:54:07.000Z","updated_at":"2017-03-15T09:41:27.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663"],"cve":["2017-6816"]},"vuln_type":"UNKNOWN","fixed_in":"4.7.3"},{"id":8768,"title":"WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds","created_at":"2017-03-07T08:56:50.000Z","updated_at":"2017-03-15T09:42:41.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8","https://blog.sucuri.net/2017/03/stored-xss-in-wordpress-core.html"],"cve":["2017-6817"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8769,"title":"WordPress 4.7-4.7.2 - Cross-Site Scripting (XSS) via Taxonomy Term Names","created_at":"2017-03-07T09:30:32.000Z","updated_at":"2017-03-15T09:43:06.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9"],"cve":["2017-6818"]},"vuln_type":"XSS","fixed_in":"4.7.3"},{"id":8770,"title":"WordPress 4.2-4.7.2 - Press This CSRF DoS","created_at":"2017-03-07T09:36:00.000Z","updated_at":"2017-03-15T09:43:28.000Z","published_date":"2017-03-06T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html","http://seclists.org/oss-sec/2017/q1/562"],"cve":["2017-6819"]},"vuln_type":"CSRF","fixed_in":"4.7.3"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2017-09-26T11:48:53.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.7.6"}]},"3.7.19":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_3.7.19","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.19":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_3.8.19","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.17":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_3.9.17","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.16":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.0.16","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.16":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.1.16","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.13":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.2.13","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.9":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.3.9","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.8":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.4.8","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.5.7":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.5.7","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"4.6.4":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.6.4","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.6.7"}]},"4.7.3":{"release_date":"2017-03-06","changelog_url":"https://codex.wordpress.org/Version_4.7.3","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2017-09-26T11:48:53.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.7.6"}]},"3.7.20":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_3.7.20","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.7.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.7.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.7.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.7.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.20":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_3.8.20","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.8.21"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.8.21"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.8.21"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.8.21"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.18":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_3.9.18","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"3.9.19"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"3.9.19"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"3.9.19"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"3.9.19"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.17":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.0.17","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.0.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.0.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.0.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.0.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.17":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.1.17","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.1.18"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.1.18"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.1.18"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.1.18"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.14":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.2.14","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.2.15"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.2.15"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.2.15"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.2.15"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.10":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.3.10","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.3.11"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.3.11"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.3.11"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.3.11"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.9":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.4.9","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.4.10"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.4.10"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.4.10"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.4.10"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.5.8":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.5.8","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.5.9"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.5.9"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.5.9"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.5.9"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"4.6.5":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.6.5","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.6.6"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.6.6"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.6.6"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.6.6"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.6.7"}]},"4.7.4":{"release_date":"2017-04-20","changelog_url":"https://codex.wordpress.org/Version_4.7.4","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8815,"title":"WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation","created_at":"2017-05-17T07:01:17.000Z","updated_at":"2017-05-19T10:35:46.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11","https://wordpress.org/news/2017/05/wordpress-4-7-5/"],"cve":["2017-9066"]},"vuln_type":"REDIRECT","fixed_in":"4.7.5"},{"id":8816,"title":"WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC","created_at":"2017-05-17T07:07:44.000Z","updated_at":"2017-05-19T10:36:33.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381"],"cve":["2017-9062"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8817,"title":"WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks ","created_at":"2017-05-17T07:14:10.000Z","updated_at":"2017-05-19T10:35:13.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4"],"cve":["2017-9065"]},"vuln_type":"BYPASS","fixed_in":"4.7.5"},{"id":8818,"title":"WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF","created_at":"2017-05-17T07:20:32.000Z","updated_at":"2017-05-22T09:00:51.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67","https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html"],"cve":["2017-9064"]},"vuln_type":"CSRF","fixed_in":"4.7.5"},{"id":8819,"title":"WordPress 3.3-4.7.4 - Large File Upload Error XSS","created_at":"2017-05-17T07:36:14.000Z","updated_at":"2017-07-24T07:11:35.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6","https://hackerone.com/reports/203515","https://hackerone.com/reports/203515"],"cve":["2017-9061"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8820,"title":"WordPress 3.4.0-4.7.4 - Customizer XSS \u0026 CSRF","created_at":"2017-05-17T07:44:24.000Z","updated_at":"2017-05-19T10:33:40.000Z","published_date":"2017-05-16T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/05/wordpress-4-7-5/","https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3"],"cve":["2017-9063"]},"vuln_type":"XSS","fixed_in":"4.7.5"},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.7.6"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2017-09-26T11:48:53.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.7.6"}]},"4.7.5":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.7.5","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.7.6"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.7.6"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2017-09-26T11:48:53.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"vuln_type":"LFI","fixed_in":"4.7.6"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.7.6"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.7.6"}]},"3.7.21":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_3.7.21","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.7.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.7.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.7.22"}]},"3.8.21":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_3.8.21","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.8.22"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.8.22"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.8.22"}]},"3.9.19":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_3.9.19","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"3.9.20"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"3.9.20"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"3.9.20"}]},"4.0.18":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.0.18","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.0.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.0.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.0.19"}]},"4.1.18":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.1.18","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.1.19"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.1.19"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.1.19"}]},"4.2.15":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.2.15","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.2.16"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.2.16"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.2.16"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.2.16"}]},"4.3.11":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.3.11","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.3.12"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.3.12"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.3.12"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.3.12"}]},"4.4.10":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.4.10","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.4.11"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.4.11"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.4.11"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.4.11"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.4.11"}]},"4.5.9":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.5.9","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.5.10"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.5.10"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.5.10"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.5.10"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.5.10"}]},"4.6.6":{"release_date":"2017-05-16","changelog_url":"https://codex.wordpress.org/Version_4.6.6","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.6.7"},{"id":8906,"title":"WordPress 2.3.0-4.7.4 - Authenticated SQL injection","created_at":"2017-09-20T08:01:47.000Z","updated_at":"2017-09-20T08:06:52.000Z","published_date":"2017-08-24T00:00:00.000Z","references":{"url":["https://medium.com/websec/wordpress-sqli-bbb2afcc8e94","https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://wpvulndb.com/vulnerabilities/8905"]},"vuln_type":"SQLI","fixed_in":"4.7.5"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.6.7"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.6.7"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.6.7"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.6.7"}]},"4.8":{"release_date":"2017-06-08","changelog_url":"https://codex.wordpress.org/Version_4.8","vulnerabilities":[{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2017-09-26T11:48:53.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"vuln_type":"LFI","fixed_in":"4.8.2"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.8.2"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.8.2"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.8.1":{"release_date":"2017-08-02","changelog_url":"https://codex.wordpress.org/Version_4.8.1","vulnerabilities":[{"id":8905,"title":"WordPress 2.3.0-4.8.1 - $wpdb-\u003eprepare() potential SQL Injection","created_at":"2017-09-20T07:47:44.000Z","updated_at":"2017-09-28T09:51:43.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48","https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec"]},"vuln_type":"SQLI","fixed_in":"4.8.2"},{"id":8910,"title":"WordPress 2.9.2-4.8.1 - Open Redirect","created_at":"2017-09-25T09:41:31.000Z","updated_at":"2017-09-28T12:17:17.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41398"],"cve":["2017-14725"]},"vuln_type":"REDIRECT","fixed_in":"4.8.2"},{"id":8911,"title":"WordPress 3.0-4.8.1 - Path Traversal in Unzipping","created_at":"2017-09-25T09:50:50.000Z","updated_at":"2017-09-28T12:32:12.000Z","published_date":"2017-09-20T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41457"],"cve":["2017-14719"]},"vuln_type":"LFI","fixed_in":"4.8.2"},{"id":8912,"title":"WordPress 4.4-4.8.1 - Path Traversal in Customizer ","created_at":"2017-09-25T10:08:18.000Z","updated_at":"2017-09-26T11:48:53.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41397"],"cve":["2017-14722"]},"vuln_type":"LFI","fixed_in":"4.8.2"},{"id":8913,"title":"WordPress 4.4-4.8.1 - Cross-Site Scripting (XSS) in oEmbed","created_at":"2017-09-25T10:27:43.000Z","updated_at":"2017-09-28T12:36:14.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41448"],"cve":["2017-14724"]},"vuln_type":"XSS","fixed_in":"4.8.2"},{"id":8914,"title":"WordPress 4.2.3-4.8.1 - Authenticated Cross-Site Scripting (XSS) in Visual Editor","created_at":"2017-09-27T09:08:23.000Z","updated_at":"2017-09-28T12:41:11.000Z","published_date":"2017-09-19T00:00:00.000Z","references":{"url":["https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/","https://core.trac.wordpress.org/changeset/41395","https://blog.sucuri.net/2017/09/stored-cross-site-scripting-vulnerability-in-wordpress-4-8-1.html"],"cve":["2017-14726"]},"vuln_type":"XSS","fixed_in":"4.8.2"},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"3.7.22":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_3.7.22\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"3.8.22":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_3.8.22\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"3.9.20":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_3.9.20\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.0.19":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_4.0.19\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.1.19":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_4.1.19\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.2.16":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_4.2.16\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.3.12":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_4.3.12\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.4.11":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_4.4.11\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.5.10":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_4.5.10\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.6.7":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_4.6.7\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.7.6":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/index.php?title=Version_4.7.6\u0026action=edit\u0026redlink=1","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null},{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]},"4.8.2":{"release_date":"2017-09-19","changelog_url":"https://codex.wordpress.org/Version_4.8.2","vulnerabilities":[{"id":8807,"title":"WordPress 2.3-4.8.2 - Host Header Injection in Password Reset","created_at":"2017-05-05T09:47:44.000Z","updated_at":"2017-09-30T08:47:03.000Z","published_date":"2017-05-03T00:00:00.000Z","references":{"url":["https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html","http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html","https://core.trac.wordpress.org/ticket/25239"],"cve":["2017-8295"]},"vuln_type":"UNKNOWN","fixed_in":null}]}}